10341000x800000000000000013681Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:03.921{8A675139-3B49-5FA5-0B00-000000008801}8641112C:\Windows\system32\lsass.exe{8A675139-3B48-5FA5-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000013688Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.843{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013687Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.843{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013686Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.843{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013685Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.827{8A675139-3BB0-5FA5-8B00-000000008801}49444984C:\Windows\system32\csrss.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013684Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.827{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013683Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.827{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-42C8-5FA5-B406-000000008801}5732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013682Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:16.218{8A675139-3BB2-5FA5-9600-000000008801}46164788C:\Windows\system32\taskhostw.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013738Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013737Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013736Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013735Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3BB0-5FA5-8B00-000000008801}49442804C:\Windows\system32\csrss.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013734Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013733Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.843{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B606-000000008801}2592C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013732Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.827{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013731Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.827{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013730Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.827{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013729Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3BB0-5FA5-8B00-000000008801}49442804C:\Windows\system32\csrss.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013728Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013727Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-42C9-5FA5-B506-000000008801}5524C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013726Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013725Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013724Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013723Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.812{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013722Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013721Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013720Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013719Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013718Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9B00-000000008801}50964212C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4a3f|C:\Windows\System32\SHELL32.dll+c5b25|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013717Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.780{8A675139-3BB2-5FA5-9B00-000000008801}50964212C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c5a3e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013716Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50964212C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013715Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013714Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013713Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013712Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013711Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013710Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013709Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013708Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013707Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013706Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013705Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013704Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013703Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013702Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0D00-000000008801}10041468C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013701Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013700Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013699Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013698Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013697Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013696Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013695Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013694Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50962508C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013693Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50966100C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013692Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013691Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50966100C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013690Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a704|C:\Windows\System32\TwinUI.dll+1a608|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000013689Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:17.765{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a76c|C:\Windows\System32\TwinUI.dll+1a5f5|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000013760Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013759Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013758Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013757Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013756Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013755Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013754Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013753Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013752Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013751Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013750Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013749Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013748Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013747Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013746Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013745Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013744Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013743Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013742Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013741Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013740Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013739Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:32.405{8A675139-3B4B-5FA5-0D00-000000008801}1004924C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013797Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013796Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013795Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013794Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013793Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013792Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013791Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013790Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.936{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013789Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.905{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013788Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.905{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013787Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.905{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013786Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013785Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013784Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013783Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013782Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013781Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013780Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013779Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013778Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013777Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013776Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013775Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB0-5FA5-8B00-000000008801}49442804C:\Windows\system32\csrss.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013774Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013773Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013772Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3B49-5FA5-0500-000000008801}648772C:\Windows\system32\csrss.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013771Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.483{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42D9-5FA5-B706-000000008801}656C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013770Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013769Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013768Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013767Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013766Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+79be|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000013765Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9300-000000008801}19645600C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+791a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000013764Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50965980C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013763Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50965980C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013762Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013761Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:33.468{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013813Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.358{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013812Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013811Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013810Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013809Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013808Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013807Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013806Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.343{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013805Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013804Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013803Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013802Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013801Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19644664C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013800Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19645488C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e 10341000x800000000000000013799Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013798Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:34.218{8A675139-3BB2-5FA5-9300-000000008801}19643284C:\Windows\System32\RuntimeBroker.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x800000000000000013851Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.936{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013850Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.936{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013849Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50961436C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013848Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50961436C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013847Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9600-000000008801}46164788C:\Windows\system32\taskhostw.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013846Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50965492C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+248f4|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013845Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50965492C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+248f4|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013844Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50965492C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013843Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.921{8A675139-3BB2-5FA5-9B00-000000008801}50965492C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013842Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.905{8A675139-3BB2-5FA5-9B00-000000008801}50965492C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013841Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.905{8A675139-3BB2-5FA5-9B00-000000008801}50962508C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+c6140|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013840Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.905{8A675139-3BB2-5FA5-9B00-000000008801}50962508C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c6140|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013839Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.905{8A675139-3BB2-5FA5-9B00-000000008801}50962508C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013838Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.905{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013837Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.889{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013836Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.889{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013835Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013834Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013833Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013832Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3BB2-5FA5-9B00-000000008801}50965940C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013831Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3BB2-5FA5-9B00-000000008801}50965940C:\Windows\Explorer.EXE{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013830Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013829Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3BB2-5FA5-9B00-000000008801}50963104C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013828Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.874{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013827Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013826Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013825Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013824Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013823Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3BB0-5FA5-8B00-000000008801}49442804C:\Windows\system32\csrss.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013822Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.858{8A675139-3BB2-5FA5-9B00-000000008801}50964544C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+eb551|C:\Windows\System32\SHELL32.dll+ea3b6|C:\Windows\System32\SHELL32.dll+8bfa1|C:\Windows\System32\SHELL32.dll+ec44e|C:\Windows\System32\windows.storage.dll+12f9e|C:\Windows\System32\windows.storage.dll+131a1|C:\Windows\System32\windows.storage.dll+12ddf|C:\Windows\System32\SHELL32.dll+8c027|C:\Windows\System32\SHELL32.dll+ec44e|C:\Windows\System32\SHELL32.dll+179e73 154100x800000000000000013821Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.861{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\System32\notepad.exe10.0.14393.0 (rs1_release.160715-1616)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\notepad.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{8A675139-3BB1-5FA5-32E0-050000000000}0x5e0322HighMD5=3B508CAE5DEBCBA928B5BC355517E2E6,SHA256=DA0ACEE8F60A460CFB5249E262D3D53211EBC4C777579E99C8202B761541110A,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000013820Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2E00-000000008801}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013819Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2E00-000000008801}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013818Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000013817Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000013816Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3BB2-5FA5-9B00-000000008801}50962320C:\Windows\Explorer.EXE{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000013815Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2E00-000000008801}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013814Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:35.842{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2E00-000000008801}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013854Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:37.608{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B4B-5FA5-1600-000000008801}1648C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013853Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:37.608{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B4B-5FA5-1600-000000008801}1648C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013852Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:37.608{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B4B-5FA5-1600-000000008801}1648C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013858Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:38.983{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013857Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:38.983{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013856Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:38.980{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013855Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:38.980{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013875Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E1-5FA5-B906-000000008801}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013874Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013873Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013872Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013871Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013870Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42E1-5FA5-B906-000000008801}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013869Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.514{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E1-5FA5-B906-000000008801}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013868Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.515{8A675139-42E1-5FA5-B906-000000008801}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013867Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013866Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013865Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013864Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013863Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3B4B-5FA5-0C00-000000008801}6085716C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013862Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.342{8A675139-3BB2-5FA5-9400-000000008801}45766128C:\Windows\system32\sihost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013861Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.186{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013860Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.186{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-3BC1-5FA5-AA00-000000008801}5172C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013859Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:41.186{8A675139-3B4B-5FA5-0C00-000000008801}6086512C:\Windows\system32\svchost.exe{8A675139-3BC2-5FA5-AB00-000000008801}5276C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x800000000000000013892Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E2-5FA5-BB06-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013891Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013890Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013889Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013888Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013887Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42E2-5FA5-BB06-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013886Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.858{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E2-5FA5-BB06-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013885Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.859{8A675139-42E2-5FA5-BB06-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013884Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.327{8A675139-42E2-5FA5-BA06-000000008801}40365712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013883Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E2-5FA5-BA06-000000008801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013882Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013881Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013880Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013879Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013878Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42E2-5FA5-BA06-000000008801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013877Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.186{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E2-5FA5-BA06-000000008801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013876Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:42.187{8A675139-42E2-5FA5-BA06-000000008801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013901Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.905{8A675139-42E3-5FA5-BC06-000000008801}69006924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013900Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E3-5FA5-BC06-000000008801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013899Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013898Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013897Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013896Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013895Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42E3-5FA5-BC06-000000008801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013894Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.764{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E3-5FA5-BC06-000000008801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013893Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:43.765{8A675139-42E3-5FA5-BC06-000000008801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013910Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.780{8A675139-42E4-5FA5-BD06-000000008801}8325564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013909Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E4-5FA5-BD06-000000008801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013908Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013907Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013906Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013905Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013904Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42E4-5FA5-BD06-000000008801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013903Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E4-5FA5-BD06-000000008801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013902Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:44.624{8A675139-42E4-5FA5-BD06-000000008801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013984Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013983Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013982Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013981Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013980Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013979Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013978Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013977Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013976Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013975Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013974Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013973Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013972Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013971Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013970Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013969Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013968Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.764{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013967Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013966Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013965Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013964Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013963Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013962Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013961Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013960Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013959Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013958Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013957Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013956Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.748{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013955Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013954Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013953Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013952Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013951Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013950Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013949Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000013948Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.733{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013947Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+13eaaa|C:\Windows\System32\COMDLG32.dll+10a98 10341000x800000000000000013946Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+13eaaa|C:\Windows\System32\COMDLG32.dll+10a98 10341000x800000000000000013945Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8 10341000x800000000000000013944Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000013943Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+1b25d|C:\Windows\system32\explorerframe.dll+3458b|C:\Windows\system32\explorerframe.dll+33ee4|C:\Windows\system32\explorerframe.dll+32f8a|C:\Windows\system32\explorerframe.dll+3306c|C:\Windows\System32\SHELL32.dll+99473|C:\Windows\System32\SHELL32.dll+99bd4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000013942Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+1b25d|C:\Windows\system32\explorerframe.dll+3458b|C:\Windows\system32\explorerframe.dll+33ee4|C:\Windows\system32\explorerframe.dll+32f8a|C:\Windows\system32\explorerframe.dll+3306c|C:\Windows\System32\SHELL32.dll+99473|C:\Windows\System32\SHELL32.dll+99bd4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000013941Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+1b25d|C:\Windows\system32\explorerframe.dll+3458b|C:\Windows\system32\explorerframe.dll+33ee4|C:\Windows\system32\explorerframe.dll+32f8a|C:\Windows\system32\explorerframe.dll+3306c|C:\Windows\System32\SHELL32.dll+99473|C:\Windows\System32\SHELL32.dll+99bd4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000013940Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+1b25d|C:\Windows\system32\explorerframe.dll+3458b|C:\Windows\system32\explorerframe.dll+33ee4|C:\Windows\system32\explorerframe.dll+32f8a|C:\Windows\system32\explorerframe.dll+3306c|C:\Windows\System32\SHELL32.dll+99473|C:\Windows\System32\SHELL32.dll+99bd4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000013939Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.639{8A675139-3B49-5FA5-0B00-000000008801}86496C:\Windows\system32\lsass.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013938Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.639{8A675139-3B49-5FA5-0B00-000000008801}86496C:\Windows\system32\lsass.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013937Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.623{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x800000000000000013936Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.623{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000013935Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.623{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000013934Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.623{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf 10341000x800000000000000013933Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.623{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e 10341000x800000000000000013932Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.592{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b|C:\Windows\System32\shcore.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000013931Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b|C:\Windows\System32\shcore.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000013930Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b 10341000x800000000000000013929Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b 10341000x800000000000000013928Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2) 10341000x800000000000000013927Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03) 10341000x800000000000000013926Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b 10341000x800000000000000013925Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24cf6|C:\Windows\System32\windows.storage.dll+1a9a1b 10341000x800000000000000013924Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2) 10341000x800000000000000013923Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.577{8A675139-42DB-5FA5-B806-000000008801}57805936C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+e95a9|C:\Windows\System32\windows.storage.dll+1a3578|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788F827)|UNKNOWN(FFFFBB2057889EB1)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB205788A7D2)|UNKNOWN(FFFFF80175575E03) 10341000x800000000000000013922Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.530{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+75fca|C:\Windows\System32\SHELL32.dll+ab7c4|C:\Windows\System32\SHELL32.dll+ab1bb|C:\Windows\System32\SHELL32.dll+aac9d|C:\Windows\System32\SHELL32.dll+54169|C:\Windows\System32\COMDLG32.dll+1357a|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\notepad.exe+3d81|C:\Windows\system32\notepad.exe+18987|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013921Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.530{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+75fb8|C:\Windows\System32\SHELL32.dll+ab7c4|C:\Windows\System32\SHELL32.dll+ab1bb|C:\Windows\System32\SHELL32.dll+aac9d|C:\Windows\System32\SHELL32.dll+54169|C:\Windows\System32\COMDLG32.dll+1357a|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\notepad.exe+3d81|C:\Windows\system32\notepad.exe+18987|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013920Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.530{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+75fb8|C:\Windows\System32\SHELL32.dll+ab7c4|C:\Windows\System32\SHELL32.dll+ab1bb|C:\Windows\System32\SHELL32.dll+aac9d|C:\Windows\System32\SHELL32.dll+54169|C:\Windows\System32\COMDLG32.dll+1357a|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\notepad.exe+3d81|C:\Windows\system32\notepad.exe+18987|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013919Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.436{8A675139-42E5-5FA5-BE06-000000008801}12801124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013918Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E5-5FA5-BE06-000000008801}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013917Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013916Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013915Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013914Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013913Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42E5-5FA5-BE06-000000008801}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013912Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.295{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E5-5FA5-BE06-000000008801}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013911Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.296{8A675139-42E5-5FA5-BE06-000000008801}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013997Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-42E6-5FA5-BF06-000000008801}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013996Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013995Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013994Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013993Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013992Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42E6-5FA5-BF06-000000008801}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013991Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.405{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-42E6-5FA5-BF06-000000008801}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013990Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:46.406{8A675139-42E6-5FA5-BF06-000000008801}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013989Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000013988Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000013987Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000013986Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5 10341000x800000000000000013985Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:45.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988 10341000x800000000000000014002Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:49.202{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x800000000000000014001Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:49.202{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+225bc4|C:\Windows\System32\shcore.dll+2f419|C:\Windows\System32\SHELL32.dll+ce2ef|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+28d040|C:\Windows\System32\SHELL32.dll+28b51d|C:\Windows\System32\SHELL32.dll+22538c|C:\Windows\System32\SHELL32.dll+d3319|C:\Windows\System32\SHELL32.dll+d6336|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000014000Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:49.202{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+225bc4|C:\Windows\System32\shcore.dll+2f419|C:\Windows\System32\SHELL32.dll+ce2ef|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+28d040|C:\Windows\System32\SHELL32.dll+28b51d|C:\Windows\System32\SHELL32.dll+22538c|C:\Windows\System32\SHELL32.dll+d3319|C:\Windows\System32\SHELL32.dll+d6336|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000013999Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:49.202{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+225bc4|C:\Windows\System32\shcore.dll+2f419|C:\Windows\System32\SHELL32.dll+ce2ef|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+28d040|C:\Windows\System32\SHELL32.dll+28b51d|C:\Windows\System32\SHELL32.dll+22538c|C:\Windows\System32\SHELL32.dll+d3319|C:\Windows\System32\SHELL32.dll+d6336|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000013998Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:49.202{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+225bc4|C:\Windows\System32\shcore.dll+2f419|C:\Windows\System32\SHELL32.dll+ce2ef|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+28d040|C:\Windows\System32\SHELL32.dll+28b51d|C:\Windows\System32\SHELL32.dll+22538c|C:\Windows\System32\SHELL32.dll+d3319|C:\Windows\System32\SHELL32.dll+d6336|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15 10341000x800000000000000014039Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014038Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014037Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014036Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014035Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014034Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014033Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014032Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014031Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014030Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014029Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014028Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.451{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014027Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014026Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014025Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014024Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014023Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014022Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014021Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014020Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014019Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014018Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014017Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014016Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014015Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014014Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014013Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014012Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014011Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014010Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014009Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014008Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014007Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014006Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014005Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.436{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+2dca7|C:\Windows\system32\explorerframe.dll+2c712|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000014004Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.342{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014003Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:51.342{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014058Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014057Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014056Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5 10341000x800000000000000014055Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988 10341000x800000000000000014054Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.717{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014053Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.717{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014052Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.717{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014051Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.717{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8 10341000x800000000000000014050Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.717{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014049Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x800000000000000014048Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014047Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014046Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf 10341000x800000000000000014045Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e 10341000x800000000000000014044Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.686{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014043Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+2e8af9|C:\Windows\System32\SHELL32.dll+20a574|C:\Windows\System32\SHELL32.dll+2e5c2b|C:\Windows\System32\SHELL32.dll+42df1d|C:\Windows\System32\SHELL32.dll+42cbb4|C:\Windows\system32\explorerframe.dll+104760|C:\Windows\system32\explorerframe.dll+a7e60|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2 10341000x800000000000000014042Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+2e8af9|C:\Windows\System32\SHELL32.dll+20a574|C:\Windows\System32\SHELL32.dll+2e5c2b|C:\Windows\System32\SHELL32.dll+42df1d|C:\Windows\System32\SHELL32.dll+42cbb4|C:\Windows\system32\explorerframe.dll+104760|C:\Windows\system32\explorerframe.dll+a7e60|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+587a9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+585f2 10341000x800000000000000014041Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+2e8af9|C:\Windows\System32\SHELL32.dll+20a574|C:\Windows\System32\SHELL32.dll+2e5c2b|C:\Windows\System32\SHELL32.dll+42df1d|C:\Windows\System32\SHELL32.dll+42cbb4|C:\Windows\system32\explorerframe.dll+104760|C:\Windows\system32\explorerframe.dll+a7e60|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750 10341000x800000000000000014040Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.670{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+2e8af9|C:\Windows\System32\SHELL32.dll+20a574|C:\Windows\System32\SHELL32.dll+2e5c2b|C:\Windows\System32\SHELL32.dll+42df1d|C:\Windows\System32\SHELL32.dll+42cbb4|C:\Windows\system32\explorerframe.dll+104760|C:\Windows\system32\explorerframe.dll+a7e60|C:\Windows\system32\explorerframe.dll+31a20|C:\Windows\system32\explorerframe.dll+5ebb9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58750|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.3053_none_7de042968342015d\COMCTL32.dll+58527 10341000x800000000000000014059Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:52.998{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014069Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.983{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014068Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.983{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014067Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.983{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014066Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.983{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8 10341000x800000000000000014065Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.983{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014064Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.967{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x800000000000000014063Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.951{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014062Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.951{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014061Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.951{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf 10341000x800000000000000014060Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:54.951{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e 10341000x800000000000000014074Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:55.264{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014073Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:55.264{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014072Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:55.264{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014071Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:55.264{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5 10341000x800000000000000014070Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:55.264{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988 10341000x800000000000000014084Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+5a2f7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB2057889B36)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1e9ce|C:\Windows\System32\SHELL32.dll+bdbeb|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000014083Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+5a2f7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB2057889B36)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1e9ce|C:\Windows\System32\SHELL32.dll+bdc54|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000014082Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+bb8df|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014081Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+bb84a|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014080Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6422|C:\Windows\System32\SHCORE.dll+611d|C:\Windows\System32\SHCORE.dll+5ddd|C:\Windows\System32\SHCORE.dll+5d6f|C:\Windows\System32\SHCORE.dll+5c74|C:\Windows\System32\SHELL32.dll+bb826|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014079Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+60f4|C:\Windows\System32\SHCORE.dll+5ddd|C:\Windows\System32\SHCORE.dll+5d6f|C:\Windows\System32\SHCORE.dll+5c74|C:\Windows\System32\SHELL32.dll+bb826|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014078Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+bb8df|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014077Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+bb84a|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014076Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6422|C:\Windows\System32\SHCORE.dll+611d|C:\Windows\System32\SHCORE.dll+5ddd|C:\Windows\System32\SHCORE.dll+5d6f|C:\Windows\System32\SHCORE.dll+5c74|C:\Windows\System32\SHELL32.dll+bb826|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014075Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:56.217{8A675139-3BB2-5FA5-9B00-000000008801}50961188C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+60f4|C:\Windows\System32\SHCORE.dll+5ddd|C:\Windows\System32\SHCORE.dll+5d6f|C:\Windows\System32\SHCORE.dll+5c74|C:\Windows\System32\SHELL32.dll+bb826|C:\Windows\System32\SHELL32.dll+bd1d8|C:\Windows\System32\SHELL32.dll+b9e45|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+bdc3a|C:\Windows\System32\SHELL32.dll+5583a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014094Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.936{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014093Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.936{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014092Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.936{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb|C:\Windows\System32\SHELL32.dll+13eb27|C:\Windows\System32\SHELL32.dll+2e93cd|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000014091Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.936{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8 10341000x800000000000000014090Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.936{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\system32\explorerframe.dll+28f3c|C:\Windows\system32\explorerframe.dll+28e97|C:\Windows\system32\explorerframe.dll+2a6c4|C:\Windows\system32\explorerframe.dll+611a6|C:\Windows\system32\explorerframe.dll+5a710|C:\Windows\System32\COMDLG32.dll+1e667|C:\Windows\System32\SHLWAPI.dll+26f1|C:\Windows\System32\SHLWAPI.dll+260d|C:\Windows\System32\SHLWAPI.dll+24c6|C:\Windows\System32\SHLWAPI.dll+233d|C:\Windows\System32\SHELL32.dll+13f937|C:\Windows\System32\SHELL32.dll+13edb8|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014089Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.920{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+15e3de|C:\Windows\System32\windows.storage.dll+15e7d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x800000000000000014088Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.920{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e4f5|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014087Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.920{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+15e471|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e|C:\Windows\System32\SHELL32.dll+13f326|C:\Windows\System32\SHELL32.dll+13eda3|C:\Windows\System32\SHELL32.dll+13e9bb 10341000x800000000000000014086Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.920{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf 10341000x800000000000000014085Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:57.920{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+15e455|C:\Windows\System32\windows.storage.dll+15e613|C:\Windows\System32\windows.storage.dll+15ea68|C:\Windows\System32\windows.storage.dll+15ee1b|C:\Windows\System32\windows.storage.dll+155bc1|C:\Windows\System32\windows.storage.dll+157536|C:\Windows\System32\windows.storage.dll+157db1|C:\Windows\system32\explorerframe.dll+775df|C:\Windows\system32\explorerframe.dll+77ae8|C:\Windows\system32\explorerframe.dll+4e30a|C:\Windows\system32\explorerframe.dll+4ff53|C:\Windows\system32\explorerframe.dll+47777|C:\Windows\System32\SHELL32.dll+ce44c|C:\Windows\System32\SHELL32.dll+cdf95|C:\Windows\System32\SHELL32.dll+ceaad|C:\Windows\System32\SHELL32.dll+d20cf|C:\Windows\System32\SHELL32.dll+13f70e 10341000x800000000000000014099Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:58.373{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+aabf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+229f3|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8017585E8D8)|UNKNOWN(FFFFBB205788F6A8)|UNKNOWN(FFFFBB205788A355)|UNKNOWN(FFFFBB205788B87A)|UNKNOWN(FFFFBB20578FF9C5)|UNKNOWN(FFFFF80175575E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+268c4|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000014098Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:58.373{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aaa7d|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014097Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:58.373{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+aa9f9|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988|C:\Windows\system32\notepad.exe+1f4e|C:\Windows\system32\notepad.exe+2320|C:\Windows\system32\notepad.exe+3a72 10341000x800000000000000014096Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:58.373{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5 10341000x800000000000000014095Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:34:58.373{8A675139-42DB-5FA5-B806-000000008801}57805316C:\Windows\system32\notepad.exe{8A675139-3BB2-5FA5-9B00-000000008801}5096C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+aa9dd|C:\Windows\System32\SHELL32.dll+ab123|C:\Windows\System32\SHELL32.dll+ab054|C:\Windows\System32\SHELL32.dll+aa902|C:\Windows\System32\SHELL32.dll+abc30|C:\Windows\System32\SHELL32.dll+abb5d|C:\Windows\system32\explorerframe.dll+29e36|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e907|C:\Windows\System32\USER32.dll+2e7b3|C:\Windows\System32\USER32.dll+2e652|C:\Windows\System32\USER32.dll+2e5e8|C:\Windows\System32\COMDLG32.dll+135a5|C:\Windows\system32\notepad.exe+1988 10341000x800000000000000014100Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:04.795{8A675139-3B4B-5FA5-0D00-000000008801}10042120C:\Windows\system32\svchost.exe{8A675139-3B4B-5FA5-1000-000000008801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000014104Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:05.529{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exeC:\Windows\System32\test.bat2020-11-06 12:35:05.467 10341000x800000000000000014103Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:05.482{8A675139-3BB2-5FA5-9B00-000000008801}50964364C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014102Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:05.482{8A675139-3BB2-5FA5-9B00-000000008801}50964364C:\Windows\Explorer.EXE{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000014101Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:05.467{8A675139-42DB-5FA5-B806-000000008801}5780C:\Windows\system32\notepad.exeC:\Windows\System32\test.bat2020-11-06 12:35:05.467 10341000x800000000000000014110Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014109Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014108Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014107Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3BB0-5FA5-8B00-000000008801}49442804C:\Windows\system32\csrss.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014106Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3B49-5FA5-0500-000000008801}648664C:\Windows\system32\csrss.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014105Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:08.967{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-42FC-5FA5-C006-000000008801}5752C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014120Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.607{8A675139-3B4B-5FA5-1000-000000008801}11601904C:\Windows\system32\svchost.exe{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014119Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.607{8A675139-3B4B-5FA5-1000-000000008801}11601708C:\Windows\system32\svchost.exe{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014118Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3BB0-5FA5-8B00-000000008801}49444984C:\Windows\system32\csrss.exe{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014117Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014116Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014115Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014114Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B4B-5FA5-0C00-000000008801}6081116C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014113Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014112Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.592{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014111Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:11.597{8A675139-42FF-5FA5-C106-000000008801}644C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A675139-3BB1-5FA5-32E0-050000000000}0x5e0322HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8A675139-3B4B-5FA5-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000014128Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-431D-5FA5-C206-000000008801}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014127Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014126Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014125Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014124Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014123Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3B49-5FA5-0500-000000008801}648772C:\Windows\system32\csrss.exe{8A675139-431D-5FA5-C206-000000008801}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014122Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.528{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-431D-5FA5-C206-000000008801}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014121Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:41.529{8A675139-431D-5FA5-C206-000000008801}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014145Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-431E-5FA5-C406-000000008801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014144Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014143Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014142Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014141Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014140Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3B49-5FA5-0500-000000008801}6482436C:\Windows\system32\csrss.exe{8A675139-431E-5FA5-C406-000000008801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014139Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.872{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-431E-5FA5-C406-000000008801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014138Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.873{8A675139-431E-5FA5-C406-000000008801}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014137Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.356{8A675139-431E-5FA5-C306-000000008801}50446108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014136Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-431E-5FA5-C306-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014135Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014134Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014133Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014132Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014131Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3B49-5FA5-0500-000000008801}648772C:\Windows\system32\csrss.exe{8A675139-431E-5FA5-C306-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014130Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.200{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-431E-5FA5-C306-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014129Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:42.201{8A675139-431E-5FA5-C306-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014154Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.919{8A675139-431F-5FA5-C506-000000008801}2772580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014153Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-431F-5FA5-C506-000000008801}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014152Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014151Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014150Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014149Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014148Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3B49-5FA5-0500-000000008801}648772C:\Windows\system32\csrss.exe{8A675139-431F-5FA5-C506-000000008801}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014147Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-431F-5FA5-C506-000000008801}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014146Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:43.763{8A675139-431F-5FA5-C506-000000008801}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014163Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.778{8A675139-4320-5FA5-C606-000000008801}23842460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014162Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-4320-5FA5-C606-000000008801}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014161Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014160Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014159Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014158Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014157Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-4320-5FA5-C606-000000008801}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014156Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.622{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-4320-5FA5-C606-000000008801}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014155Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:44.623{8A675139-4320-5FA5-C606-000000008801}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014172Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.434{8A675139-4321-5FA5-C706-000000008801}64683796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014171Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-4321-5FA5-C706-000000008801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014170Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014169Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014168Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014167Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014166Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3B49-5FA5-0500-000000008801}6482436C:\Windows\system32\csrss.exe{8A675139-4321-5FA5-C706-000000008801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014165Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-4321-5FA5-C706-000000008801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014164Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:45.294{8A675139-4321-5FA5-C706-000000008801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014180Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3BD0-5FA5-C900-000000008801}63926424C:\Windows\system32\conhost.exe{8A675139-4322-5FA5-C806-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014179Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014178Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014177Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014176Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3B4B-5FA5-0C00-000000008801}6086096C:\Windows\system32\svchost.exe{8A675139-3B5B-5FA5-2C00-000000008801}2824C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014175Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3B49-5FA5-0500-000000008801}6481168C:\Windows\system32\csrss.exe{8A675139-4322-5FA5-C806-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014174Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.419{8A675139-3BD0-5FA5-C500-000000008801}62046152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A675139-4322-5FA5-C806-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014173Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.local-2020-11-06 12:35:46.420{8A675139-4322-5FA5-C806-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A675139-3B49-5FA5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8A675139-3BD0-5FA5-C500-000000008801}6204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000014181Microsoft-Windows-Sysmon/Operationalwin-dc-272.attackrange.localRDP2020-11-06 12:35:48.629{8A675139-3B4B-5FA5-0F00-000000008801}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.1.123-62757-false10.0.1.14win-dc-272.attackrange.local3389ms-wbt-server